add validation to ensure it is really an ALB gateway

zac-nixon · zac-nixon · commit 76da6d4c343a · 2025-11-04T08:47:34.000-08:00
diff --git a/pkg/deploy/stack_deployer.go b/pkg/deploy/stack_deployer.go
@@ -122,9 +122,7 @@ func (d *defaultStackDeployer) Deploy(ctx context.Context, stack core.Stack, met
 
 	if d.enableFrontendNLB {
 		var desiredFENLBState []*elbv2model.FrontendNlbTargetGroupDesiredState
-		err := stack.ListResources(&desiredFENLBState)
-		d.logger.Info(fmt.Sprintf("Got this result!!! %+v %+v", desiredFENLBState, err))
-
+		stack.ListResources(&desiredFENLBState)
 		var frontendNLBState *elbv2model.FrontendNlbTargetGroupDesiredState
 		if len(desiredFENLBState) == 1 {
 			frontendNLBState = desiredFENLBState[0]
diff --git a/pkg/gateway/routeutils/backend_gateway.go b/pkg/gateway/routeutils/backend_gateway.go
@@ -14,6 +14,7 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
+	"strings"
 )
 
 var _ TargetGroupConfigurator = &GatewayBackendConfig{}
@@ -160,8 +161,24 @@ func gatewayLoader(ctx context.Context, k8sClient client.Client, routeIdentifier
 		// If the ARN is not available, then the backend is not yet usable.
 		initialErrorMessage := fmt.Sprintf("Gateway (%s:%s) is not usable yet, LB ARN is not provisioned)", gwIdentifier.Namespace, gwIdentifier.Name)
 		wrappedGatewayErrorMessage := generateInvalidMessageWithRouteDetails(initialErrorMessage, routeKind, routeIdentifier)
-		return nil, wrapError(errors.Errorf("%s", initialErrorMessage), gwv1.GatewayReasonListenersNotValid, gwv1.RouteReasonBackendNotFound, &wrappedGatewayErrorMessage, nil), nil
+		// This needs to be a fatal error, otherwise we will not run another reconcile cycle to pick up the ARN.
+		return nil, nil, wrapError(errors.Errorf("%s", initialErrorMessage), gwv1.GatewayReasonListenersNotValid, gwv1.RouteReasonBackendNotFound, &wrappedGatewayErrorMessage, nil)
+	}
+
+	err = validateGatewayARN(arn)
+	if err != nil {
+		wrappedGatewayErrorMessage := generateInvalidMessageWithRouteDetails(err.Error(), routeKind, routeIdentifier)
+		// This can be a warning, as we know that retrying reconcile will do nothing to fix this situation.
+		return nil, wrapError(err, gwv1.GatewayReasonListenersNotValid, gwv1.RouteReasonBackendNotFound, &wrappedGatewayErrorMessage, nil), nil
 	}
 
 	return NewGatewayBackendConfig(gw, tgProps, arn, int32(*backendRef.Port)), nil, nil
 }
+
+func validateGatewayARN(arn string) error {
+	parts := strings.Split(arn, "/")
+	if len(parts) < 2 || parts[1] != "app" {
+		return errors.Errorf("invalid gateway ARN: %s, the resource type must be application load balancer", arn)
+	}
+	return nil
+}
diff --git a/pkg/gateway/routeutils/backend_gateway_test.go b/pkg/gateway/routeutils/backend_gateway_test.go
@@ -205,3 +205,46 @@ func TestGatewayBackendConfig_GetHealthCheckPort(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateGatewayARN(t *testing.T) {
+	tests := []struct {
+		name    string
+		arn     string
+		wantErr bool
+	}{
+		{
+			name:    "valid ALB ARN",
+			arn:     "arn:aws:elasticloadbalancing:us-east-1:565768096483:loadbalancer/app/k8s-echoserv-testgwal-3c92fc24ed/9604d5627427405c",
+			wantErr: false,
+		},
+		{
+			name:    "invalid NLB ARN",
+			arn:     "arn:aws:elasticloadbalancing:us-east-1:565768096483:loadbalancer/net/my-nlb/1234567890123456",
+			wantErr: true,
+		},
+		{
+			name:    "invalid format - no slashes",
+			arn:     "arn:aws:elasticloadbalancing:us-east-1:565768096483:loadbalancer",
+			wantErr: true,
+		},
+		{
+			name:    "invalid format - only one part",
+			arn:     "arn:aws:elasticloadbalancing:us-east-1:565768096483:loadbalancer/",
+			wantErr: true,
+		},
+		{
+			name:    "empty string",
+			arn:     "",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateGatewayARN(tt.arn)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("validateGatewayARN() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
