kubernetes-sigs
diff --git a/‎apis/gateway/v1beta1/listenerruleconfig_types.go‎
Lines changed: 10 additions & 5 deletions b/‎apis/gateway/v1beta1/listenerruleconfig_types.go‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎apis/gateway/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 12 additions & 7 deletions b/‎apis/gateway/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎config/crd/gateway/gateway-crds.yaml‎
Lines changed: 8 additions & 6 deletions b/‎config/crd/gateway/gateway-crds.yaml‎
Lines changed: 8 additions & 6 deletions
diff --git a/‎config/crd/gateway/gateway.k8s.aws_listenerruleconfigurations.yaml‎
Lines changed: 8 additions & 6 deletions b/‎config/crd/gateway/gateway.k8s.aws_listenerruleconfigurations.yaml‎
Lines changed: 8 additions & 6 deletions
diff --git a/‎controllers/gateway/eventhandlers/secret_events.go‎
Lines changed: 86 additions & 0 deletions b/‎controllers/gateway/eventhandlers/secret_events.go‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎controllers/gateway/gateway_class_controller.go‎
Lines changed: 2 additions & 1 deletion b/‎controllers/gateway/gateway_class_controller.go‎
Lines changed: 2 additions & 1 deletion
@@ -116,12 +116,10 @@ type FixedResponseActionConfig struct {
 	MessageBody *string `json:"messageBody,omitempty"`
 }
 
-// Secret holds OAuth 2.0 clientID and clientSecret. You need to create this secret and provide its name and namespace
+// Secret holds OAuth 2.0 clientID and clientSecret. You need to create this secret and provide its name
 type Secret struct {
 	// Name is name of the secret
 	Name string `json:"name"`
-	// Namespace is namespace of secret. If empty it will be considered to be in same namespace as of the resource referring it
-	Namespace *string `json:"namespace,omitempty"`
 }
 
 // Information about an authenticate-cognito action
@@ -220,7 +218,7 @@ type AuthenticateOidcActionConfig struct {
 	// +kubebuilder:default=604800
 	// +kubebuilder:validation:Minimum=1
 	// +kubebuilder:validation:Maximum=604800
-	SessionTimeout *int32 `json:"sessionTimeout,omitempty"`
+	SessionTimeout *int64 `json:"sessionTimeout,omitempty"`
 
 	// Indicates whether to use the existing client secret when modifying a listener rule. If
 	// you are creating a listener rule, you can omit this parameter or set it to false.
@@ -294,10 +292,17 @@ type ListenerRuleConfigurationSpec struct {
 
 // ListenerRuleConfigurationStatus defines the observed state of ListenerRuleConfiguration
 type ListenerRuleConfigurationStatus struct {
-
 	// The observed generation of the rule configuration
 	// +optional
 	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`
+
+	// Accepted indicates whether ListenerRuleConfiguration is valid
+	// +optional
+	Accepted *bool `json:"accepted,omitempty"`
+
+	// Message provides details about the current state
+	// +optional
+	Message *string `json:"message,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 
@@ -166,11 +166,6 @@ spec:
                             name:
                               description: Name is name of the secret
                               type: string
-                            namespace:
-                              description: Namespace is namespace of secret. If empty
-                                it will be considered to be in same namespace as of
-                                the resource referring it
-                              type: string
                           required:
                           - name
                           type: object
@@ -185,7 +180,7 @@ spec:
                           description: |-
                             The maximum duration of the authentication session, in seconds. The default is
                             604800 seconds (7 days).
-                          format: int32
+                          format: int64
                           maximum: 604800
                           minimum: 1
                           type: integer
@@ -377,6 +372,13 @@ spec:
             description: ListenerRuleConfigurationStatus defines the observed state
               of ListenerRuleConfiguration
             properties:
+              accepted:
+                description: Accepted indicates whether ListenerRuleConfiguration
+                  is valid
+                type: boolean
+              message:
+                description: Message provides details about the current state
+                type: string
               observedGeneration:
                 description: The observed generation of the rule configuration
                 format: int64
 
@@ -167,11 +167,6 @@ spec:
                             name:
                               description: Name is name of the secret
                               type: string
-                            namespace:
-                              description: Namespace is namespace of secret. If empty
-                                it will be considered to be in same namespace as of
-                                the resource referring it
-                              type: string
                           required:
                           - name
                           type: object
@@ -186,7 +181,7 @@ spec:
                           description: |-
                             The maximum duration of the authentication session, in seconds. The default is
                             604800 seconds (7 days).
-                          format: int32
+                          format: int64
                           maximum: 604800
                           minimum: 1
                           type: integer
@@ -378,6 +373,13 @@ spec:
             description: ListenerRuleConfigurationStatus defines the observed state
               of ListenerRuleConfiguration
             properties:
+              accepted:
+                description: Accepted indicates whether ListenerRuleConfiguration
+                  is valid
+                type: boolean
+              message:
+                description: Message provides details about the current state
+                type: string
               observedGeneration:
                 description: The observed generation of the rule configuration
                 format: int64
 
@@ -0,0 +1,86 @@
+package eventhandlers
+
+import (
+	"context"
+	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/routeutils"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+)
+
+// NewEnqueueRequestsForSecretEvent constructs new enqueueRequestsForSecretEvent.
+func NewEnqueueRequestsForSecretEvent(listenerRuleConfigEventChan chan<- event.TypedGenericEvent[*elbv2gw.ListenerRuleConfiguration],
+	k8sClient client.Client, eventRecorder record.EventRecorder, logger logr.Logger) handler.TypedEventHandler[*corev1.Secret, reconcile.Request] {
+	return &enqueueRequestsForSecretEvent{
+		listenerRuleConfigEventChan: listenerRuleConfigEventChan,
+		k8sClient:                   k8sClient,
+		eventRecorder:               eventRecorder,
+		logger:                      logger,
+	}
+}
+
+var _ handler.TypedEventHandler[*corev1.Secret, reconcile.Request] = (*enqueueRequestsForSecretEvent)(nil)
+
+type enqueueRequestsForSecretEvent struct {
+	listenerRuleConfigEventChan chan<- event.TypedGenericEvent[*elbv2gw.ListenerRuleConfiguration]
+	k8sClient                   client.Client
+	eventRecorder               record.EventRecorder
+	logger                      logr.Logger
+}
+
+func (h *enqueueRequestsForSecretEvent) Create(ctx context.Context, e event.TypedCreateEvent[*corev1.Secret], _ workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+	//No-Op : We will only start monitoring secret events after they have been created and associated with gateway specific resources. We don't watch cluster-wide secret events.
+}
+
+func (h *enqueueRequestsForSecretEvent) Update(ctx context.Context, e event.TypedUpdateEvent[*corev1.Secret], _ workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+	secretOld := e.ObjectOld
+	secretNew := e.ObjectNew
+
+	// we only care below update event:
+	//	1. Secret data updates
+	//	2. Secret deletions
+	if equality.Semantic.DeepEqual(secretOld.Data, secretNew.Data) &&
+		equality.Semantic.DeepEqual(secretOld.DeletionTimestamp.IsZero(), secretNew.DeletionTimestamp.IsZero()) {
+		return
+	}
+	h.logger.V(1).Info("enqueue secret update event", "secret", secretNew.Name)
+	h.enqueueImpactedListenerRulesConfigs(ctx, secretNew)
+}
+
+func (h *enqueueRequestsForSecretEvent) Delete(ctx context.Context, e event.TypedDeleteEvent[*corev1.Secret], _ workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+	secretOld := e.Object
+	h.logger.V(1).Info("enqueue secret delete event", "secret", secretOld.Name)
+	h.enqueueImpactedListenerRulesConfigs(ctx, secretOld)
+}
+
+func (h *enqueueRequestsForSecretEvent) Generic(ctx context.Context, e event.TypedGenericEvent[*corev1.Secret], _ workqueue.TypedRateLimitingInterface[reconcile.Request]) {
+	secretObj := e.Object
+	h.logger.V(1).Info("enqueue secret generic event", "secret", secretObj.Name)
+	h.enqueueImpactedListenerRulesConfigs(ctx, secretObj)
+}
+
+func (h *enqueueRequestsForSecretEvent) enqueueImpactedListenerRulesConfigs(ctx context.Context, secret *corev1.Secret) {
+	listenerRuleCfgList, err := routeutils.FilterListenerRuleConfigBySecret(ctx, h.k8sClient, secret)
+	if err != nil {
+		h.logger.Error(err, "failed to fetch listener rule configs referring to secret", "secret", k8s.NamespacedName(secret))
+		return
+	}
+
+	for _, listenerRuleCfg := range listenerRuleCfgList {
+		h.logger.V(1).Info("enqueue listenerRuleCfg for secret event",
+			"secret", k8s.NamespacedName(secret),
+			"listenerRuleCfg", k8s.NamespacedName(listenerRuleCfg))
+		h.listenerRuleConfigEventChan <- event.TypedGenericEvent[*elbv2gw.ListenerRuleConfiguration]{
+			Object: listenerRuleCfg,
+		}
+	}
+}
@@ -6,6 +6,7 @@ import (
 	"github.com/go-logr/logr"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
 	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
 	gatewayclasseventhandlers "sigs.k8s.io/aws-load-balancer-controller/controllers/gateway/eventhandlers/gatewayclass"
@@ -62,7 +63,7 @@ type gatewayClassReconciler struct {
 	gatewayResolverFn           func(ctx context.Context, k8sClient client.Client, gwClass *gwv1.GatewayClass) ([]*gwv1.Gateway, error)
 }
 
-func (r *gatewayClassReconciler) SetupWatches(_ context.Context, ctrl controller.Controller, mgr ctrl.Manager) error {
+func (r *gatewayClassReconciler) SetupWatches(_ context.Context, ctrl controller.Controller, mgr ctrl.Manager, _ *kubernetes.Clientset) error {
 
 	gwClassEventChan := make(chan event.TypedGenericEvent[*gwv1.GatewayClass])
 	lbEventHandler := gatewayclasseventhandlers.NewEnqueueRequestsForLoadBalancerConfigurationEvent(gwClassEventChan, r.k8sClient, r.eventRecorder, r.enabledControllers, r.logger)