kubernetes-sigs · shraddhabang · Nov 10, 2025 · Nov 12, 2025
diff --git a/apis/aga/v1beta1/globalaccelerator_types.go b/apis/aga/v1beta1/globalaccelerator_types.go
@@ -48,6 +48,7 @@ const (
 )
 
 // PortRange defines the port range for Global Accelerator listeners.
+// +kubebuilder:validation:XValidation:rule="self.fromPort <= self.toPort",message="FromPort must be less than or equal to ToPort"
 type PortRange struct {
 	// FromPort is the first port in the range of ports, inclusive.
 	// +kubebuilder:validation:Minimum=1

diff --git a/config/crd/aga/aga-crds.yaml b/config/crd/aga/aga-crds.yaml
@@ -264,6 +264,9 @@ spec:
                         - fromPort
                         - toPort
                         type: object
+                        x-kubernetes-validations:
+                        - message: FromPort must be less than or equal to ToPort
+                          rule: self.fromPort <= self.toPort
                       maxItems: 10
                       minItems: 1
                       type: array

diff --git a/config/crd/aga/aga.k8s.aws_globalaccelerators.yaml b/config/crd/aga/aga.k8s.aws_globalaccelerators.yaml
@@ -264,6 +264,9 @@ spec:
                         - fromPort
                         - toPort
                         type: object
+                        x-kubernetes-validations:
+                        - message: FromPort must be less than or equal to ToPort
+                          rule: self.fromPort <= self.toPort
                       maxItems: 10
                       minItems: 1
                       type: array

diff --git a/config/webhook/globalaccelerator_validator_patch.yaml b/config/webhook/globalaccelerator_validator_patch.yaml
@@ -0,0 +1,18 @@
+# This patch adds the GlobalAccelerator validator webhook configuration to the webhook configurations
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: webhook-configuration
+webhooks:
+  - name: vglobalaccelerator.aga.k8s.aws
+    rules:
+      - apiGroups:
+          - "aga.k8s.aws"
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - globalaccelerators
+        scope: "Namespaced"
diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml
@@ -9,3 +9,4 @@ patchesStrategicMerge:
   - pod_mutator_patch.yaml
   - service_mutator_patch.yaml
   - ingressclassparams_validator_patch.yaml
+  - globalaccelerator_validator_patch.yaml
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -68,6 +68,27 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: webhook
 webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+    clientConfig:
+      service:
+        name: webhook-service
+        namespace: system
+        path: /validate-aga-k8s-aws-v1beta1-globalaccelerator
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    name: vglobalaccelerator.aga.k8s.aws
+    rules:
+      - apiGroups:
+          - aga.k8s.aws
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - globalaccelerators
+    sideEffects: None
   - admissionReviewVersions:
       - v1beta1
     clientConfig:

diff --git a/controllers/aga/globalaccelerator_controller.go b/controllers/aga/globalaccelerator_controller.go
@@ -275,7 +275,9 @@ func (r *globalAcceleratorReconciler) reconcileGlobalAcceleratorResources(ctx co
 func (r *globalAcceleratorReconciler) cleanupGlobalAcceleratorResources(ctx context.Context, ga *agaapi.GlobalAccelerator) error {
 	r.logger.Info("Cleaning up GlobalAccelerator resources", "globalAccelerator", k8s.NamespacedName(ga))
 
-	// TODO we will handle cleaning up dependent resources when we implement those
+	// Our enhanced AcceleratorManager now handles deletion of listeners before accelerator.
+	// TODO: This will be enhanced to delete endpoint groups and endpoints
+	// before deleting listeners and accelerator (when those features are implemented)
 	// 1. Find the accelerator ARN from the CRD status
 	if ga.Status.AcceleratorARN == nil {
 		r.logger.Info("No accelerator ARN found in status, nothing to clean up", "globalAccelerator", k8s.NamespacedName(ga))

diff --git a/helm/aws-load-balancer-controller/crds/aga-crds.yaml b/helm/aws-load-balancer-controller/crds/aga-crds.yaml
@@ -264,6 +264,9 @@ spec:
                         - fromPort
                         - toPort
                         type: object
+                        x-kubernetes-validations:
+                        - message: FromPort must be less than or equal to ToPort
+                          rule: self.fromPort <= self.toPort
                       maxItems: 10
                       minItems: 1
                       type: array

diff --git a/main.go b/main.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"os"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/aga"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_utils"
 
 	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
@@ -65,6 +66,7 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/runtime"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/targetgroupbinding"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/version"
+	agawebhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/aga"
 	corewebhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/core"
 	elbv2webhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/elbv2"
 	networkingwebhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/networking"
@@ -236,7 +238,7 @@ func main() {
 	}
 
 	// Setup GlobalAccelerator controller only if enabled
-	if shared_utils.IsAGAControllerEnabled(controllerCFG.FeatureGates, controllerCFG.AWSConfig.Region) {
+	if aga.IsAGAControllerEnabled(controllerCFG.FeatureGates, controllerCFG.AWSConfig.Region) {
 		agaReconciler := agacontroller.NewGlobalAcceleratorReconciler(mgr.GetClient(), mgr.GetEventRecorderFor("globalAccelerator"),
 			finalizerManager, controllerCFG, cloud, ctrl.Log.WithName("controllers").WithName("globalAccelerator"), lbcMetricsCollector, reconcileCounters)
 		if err := agaReconciler.SetupWithManager(ctx, mgr, clientSet); err != nil {
@@ -415,6 +417,11 @@ func main() {
 	elbv2webhook.NewTargetGroupBindingMutator(cloud.ELBV2(), ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
 	elbv2webhook.NewTargetGroupBindingValidator(mgr.GetClient(), cloud.ELBV2(), cloud.VpcID(), ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
 	networkingwebhook.NewIngressValidator(mgr.GetClient(), controllerCFG.IngressConfig, ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
+
+	// Setup GlobalAccelerator validator only if enabled
+	if aga.IsAGAControllerEnabled(controllerCFG.FeatureGates, controllerCFG.AWSConfig.Region) {
+		agawebhook.NewGlobalAcceleratorValidator(ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
+	}
 	//+kubebuilder:scaffold:builder
 
 	go func() {

diff --git a/pkg/aga/model_build_listener.go b/pkg/aga/model_build_listener.go
@@ -0,0 +1,128 @@
+package aga
+
+import (
+	"context"
+	"fmt"
+	"github.com/pkg/errors"
+	agaapi "sigs.k8s.io/aws-load-balancer-controller/apis/aga/v1beta1"
+	agamodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/aga"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
+)
+
+// listenerBuilder builds Listener model resources
+type listenerBuilder interface {
+	Build(ctx context.Context, stack core.Stack, accelerator *agamodel.Accelerator, listeners []agaapi.GlobalAcceleratorListener) ([]*agamodel.Listener, error)
+}
+
+// NewListenerBuilder constructs new listenerBuilder
+func NewListenerBuilder() listenerBuilder {
+	return &defaultListenerBuilder{}
+}
+
+var _ listenerBuilder = &defaultListenerBuilder{}
+
+type defaultListenerBuilder struct{}
+
+// Build builds Listener model resources
+func (b *defaultListenerBuilder) Build(ctx context.Context, stack core.Stack, accelerator *agamodel.Accelerator, listeners []agaapi.GlobalAcceleratorListener) ([]*agamodel.Listener, error) {
+	if listeners == nil || len(listeners) == 0 {
+		return nil, nil
+	}
+
+	var result []*agamodel.Listener
+	for i, listener := range listeners {
+		listenerModel, err := buildListener(ctx, stack, accelerator, listener, i)
+		if err != nil {
+			return nil, err
+		}
+		result = append(result, listenerModel)
+	}
+	return result, nil
+}
+
+// buildListener builds a single Listener model resource
+func buildListener(ctx context.Context, stack core.Stack, accelerator *agamodel.Accelerator, listener agaapi.GlobalAcceleratorListener, index int) (*agamodel.Listener, error) {
+	spec, err := buildListenerSpec(ctx, accelerator, listener)
+	if err != nil {
+		return nil, err
+	}
+
+	resourceID := fmt.Sprintf("Listener-%d", index)
+	listenerModel := agamodel.NewListener(stack, resourceID, spec, accelerator)
+	return listenerModel, nil
+}
+
+// buildListenerSpec builds the ListenerSpec for a single Listener model resource
+func buildListenerSpec(ctx context.Context, accelerator *agamodel.Accelerator, listener agaapi.GlobalAcceleratorListener) (agamodel.ListenerSpec, error) {
+	protocol, err := buildListenerProtocol(ctx, listener)
+	if err != nil {
+		return agamodel.ListenerSpec{}, err
+	}
+
+	portRanges, err := buildListenerPortRanges(ctx, listener)
+	if err != nil {
+		return agamodel.ListenerSpec{}, err
+	}
+
+	clientAffinity := buildListenerClientAffinity(ctx, listener)
+
+	return agamodel.ListenerSpec{
+		AcceleratorARN: accelerator.AcceleratorARN(),
+		Protocol:       protocol,
+		PortRanges:     portRanges,
+		ClientAffinity: clientAffinity,
+	}, nil
+}
+
+// buildListenerProtocol determines the protocol for the listener
+func buildListenerProtocol(_ context.Context, listener agaapi.GlobalAcceleratorListener) (agamodel.Protocol, error) {
+	if listener.Protocol == nil {
+		// TODO: Auto-discovery feature - Auto-determine protocol from endpoints if nil
+		// For now, default to TCP
+		return agamodel.ProtocolTCP, nil
+	}
+
+	switch *listener.Protocol {
+	case agaapi.GlobalAcceleratorProtocolTCP:
+		return agamodel.ProtocolTCP, nil
+	case agaapi.GlobalAcceleratorProtocolUDP:
+		return agamodel.ProtocolUDP, nil
+	default:
+		return "", errors.Errorf("unsupported protocol: %s", *listener.Protocol)
+	}
+}
+
+// buildListenerPortRanges determines the port ranges for the listener
+func buildListenerPortRanges(_ context.Context, listener agaapi.GlobalAcceleratorListener) ([]agamodel.PortRange, error) {
+	if listener.PortRanges == nil {
+		// TODO: Auto-discovery feature - Auto-determine port ranges from endpoints if nil
+		// For now, default to port 80
+		return []agamodel.PortRange{{
+			FromPort: 80,
+			ToPort:   80,
+		}}, nil
+	}
+
+	var portRanges []agamodel.PortRange
+	for _, pr := range *listener.PortRanges {
+		// Required validations are already done webhooks and CEL
+		portRanges = append(portRanges, agamodel.PortRange{
+			FromPort: pr.FromPort,
+			ToPort:   pr.ToPort,
+		})
+	}
+	return portRanges, nil
+}
+
+// buildListenerClientAffinity determines the client affinity for the listener
+func buildListenerClientAffinity(_ context.Context, listener agaapi.GlobalAcceleratorListener) agamodel.ClientAffinity {
+	switch listener.ClientAffinity {
+	case agaapi.ClientAffinitySourceIP:
+		return agamodel.ClientAffinitySourceIP
+	case agaapi.ClientAffinityNone:
+		return agamodel.ClientAffinityNone
+	default:
+		// Default to NONE as per AWS Global Accelerator behavior
+		return agamodel.ClientAffinityNone
+	}
+}