feat: Support deploying Gateway LBs with region property on LoadBalancerConfiguration

Signed-off-by: Aleksander Aleksic <aleksander.aleksic@nordicsemi.no>

Author: aleksanderaleksic

apis/gateway/v1beta1/loadbalancerconfig_types.go

@@ -198,6 +198,20 @@ type LoadBalancerConfigurationSpec struct {
 	// +optional
 	MergingMode *LoadBalancerConfigMergeMode `json:"mergingMode,omitempty"`
 
+	// region is the AWS region where the load balancer will be deployed. When unset, the controller's default region is used.
+	// When set to a different region, vpcId, vpcSelector, or loadBalancerSubnets with identifiers must be set so the VPC can be resolved.
+	// +optional
+	Region *string `json:"region,omitempty"`
+
+	// vpcId is the VPC ID in the target region. Used when region is set (and especially when it differs from the controller default).
+	// +optional
+	VpcID *string `json:"vpcId,omitempty"`
+
+	// vpcSelector selects the VPC in the target region by tags. Each key is a tag name; the value list is the allowed tag values.
+	// A VPC matches if it has each tag key with one of the corresponding values. Exactly one VPC must match in the target region.
+	// +optional
+	VpcSelector *map[string][]string `json:"vpcSelector,omitempty"`
+
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=32
 	// loadBalancerName defines the name of the LB to provision. If unspecified, it will be automatically generated.

apis/gateway/v1beta1/zz_generated.deepcopy.go

@@ -267,6 +267,12 @@ spec:
                 - prefer-gateway
                 - prefer-gateway-class
                 type: string
+              region:
+                description: region is the AWS region where the load balancer will
+                  be deployed. When unset, the controller's default region is used.
+                  When set to a different region, vpcId, vpcSelector, or loadBalancerSubnets
+                  with identifiers must be set so the VPC can be resolved.
+                type: string
               minimumLoadBalancerCapacity:
                 description: MinimumLoadBalancerCapacity define the capacity reservation
                   for LoadBalancers
@@ -317,6 +323,21 @@ spec:
                   type: string
                 description: Tags the AWS Tags on all related resources to the gateway.
                 type: object
+              vpcId:
+                description: vpcId is the VPC ID in the target region. Used when
+                  region is set (and especially when it differs from the controller
+                  default).
+                type: string
+              vpcSelector:
+                additionalProperties:
+                  items:
+                    type: string
+                  type: array
+                description: vpcSelector selects the VPC in the target region by
+                  tags. Each key is a tag name; the value list is the allowed tag
+                  values. A VPC matches if it has each tag key with one of the corresponding
+                  values. Exactly one VPC must match in the target region.
+                type: object
               wafV2:
                 description: WAFv2 define the AWS WAFv2 settings for a Gateway [Application
                   Load Balancer]

config/crd/gateway/gateway.k8s.aws_loadbalancerconfigurations.yaml

@@ -65,6 +65,26 @@ Defines the LoadBalancer Scheme.
 
 **Default** internal
 
+#### Region
+
+`region`
+
+The AWS region where the load balancer will be deployed. When unset, the controller's default region (from `--aws-region` or environment) is used. When set to a different region, you must specify the VPC in that region using one of: `vpcId`, `vpcSelector`, or `loadBalancerSubnets` with subnet identifiers so the controller can resolve the VPC.
+
+**Default** Controller's default region
+
+#### VpcID
+
+`vpcId`
+
+The VPC ID in the target region. Used when `region` is set, especially when it differs from the controller default. Required (or use `vpcSelector` / `loadBalancerSubnets` with identifiers) when deploying to a non-default region.
+
+#### VpcSelector
+
+`vpcSelector`
+
+Selects the VPC in the target region by tags. Same shape as `loadBalancerSubnetsSelector`: each key is a tag name, the value list is the allowed tag values. A VPC matches if it has each tag key with one of the corresponding values. Exactly one VPC must match in the target region. Use when `region` is set and you prefer tag-based selection over a fixed `vpcId`.
+
 #### IpAddressType
 
 `ipAddressType`

controllers/gateway/gateway_controller.go

@@ -460,6 +460,9 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `mergingMode` _[LoadBalancerConfigMergeMode](#loadbalancerconfigmergemode)_ | mergingMode defines the merge behavior when both the Gateway and GatewayClass have a defined LoadBalancerConfiguration.<br />This field is only honored for the configuration attached to the GatewayClass. |  | Enum: [prefer-gateway prefer-gateway-class] <br /> |
+| `region` _string_ | region is the AWS region where the load balancer will be deployed. When unset, the controller's default region is used. When set to a different region, set vpcId, vpcSelector, or loadBalancerSubnets with identifiers so the VPC can be resolved. |  |  |
+| `vpcId` _string_ | vpcId is the VPC ID in the target region. Used when region is set (especially when it differs from the controller default). |  |  |
+| `vpcSelector` _map[string][]string_ | vpcSelector selects the VPC in the target region by tags. Each key is a tag name; the value list is the allowed tag values. Exactly one VPC must match in the target region. |  |  |
 | `loadBalancerName` _string_ | loadBalancerName defines the name of the LB to provision. If unspecified, it will be automatically generated. |  | MaxLength: 32 <br />MinLength: 1 <br /> |
 | `scheme` _[LoadBalancerScheme](#loadbalancerscheme)_ | scheme defines the type of LB to provision. If unspecified, it will be automatically inferred. |  | Enum: [internal internet-facing] <br /> |
 | `ipAddressType` _[LoadBalancerIpAddressType](#loadbalanceripaddresstype)_ | loadBalancerIPType defines what kind of load balancer to provision (ipv4, dual stack) |  | Enum: [ipv4 dualstack dualstack-without-public-ipv4] <br /> |
@@ -472,7 +475,6 @@ _Appears in:_
 | `securityGroups` _string_ | securityGroups an optional list of security group ids or names to apply to the LB |  |  |
 | `securityGroupPrefixes` _string_ | securityGroupPrefixes an optional list of prefixes that are allowed to access the LB. |  |  |
 | `sourceRanges` _string_ | sourceRanges an optional list of CIDRs that are allowed to access the LB. |  |  |
-| `vpcId` _string_ | vpcId is the ID of the VPC for the load balancer. |  |  |
 | `loadBalancerAttributes` _[LoadBalancerAttribute](#loadbalancerattribute) array_ | LoadBalancerAttributes defines the attribute of LB |  |  |
 | `tags` _map[string]string_ | Tags the AWS Tags on all related resources to the gateway. |  |  |
 | `enableICMP` _boolean_ | EnableICMP [Network LoadBalancer]<br />enables the creation of security group rules to the managed security group<br />to allow explicit ICMP traffic for Path MTU discovery for IPv4 and dual-stack VPCs |  |  |

docs/guide/gateway/loadbalancerconfig.md

@@ -722,6 +722,12 @@ spec:
                 - prefer-gateway
                 - prefer-gateway-class
                 type: string
+              region:
+                description: region is the AWS region where the load balancer will
+                  be deployed. When unset, the controller's default region is used.
+                  When set to a different region, vpcId, vpcSelector, or loadBalancerSubnets
+                  with identifiers must be set so the VPC can be resolved.
+                type: string
               minimumLoadBalancerCapacity:
                 description: MinimumLoadBalancerCapacity define the capacity reservation
                   for LoadBalancers
@@ -772,6 +778,20 @@ spec:
                   type: string
                 description: Tags the AWS Tags on all related resources to the gateway.
                 type: object
+              vpcId:
+                description: vpcId is the VPC ID in the target region. Used when region
+                  is set (and especially when it differs from the controller default).
+                type: string
+              vpcSelector:
+                additionalProperties:
+                  items:
+                    type: string
+                  type: array
+                description: vpcSelector selects the VPC in the target region by tags.
+                  Each key is a tag name; the value list is the allowed tag values.
+                  A VPC matches if it has each tag key with one of the corresponding
+                  values. Exactly one VPC must match in the target region.
+                type: object
               wafV2:
                 description: WAFv2 define the AWS WAFv2 settings for a Gateway [Application
                   Load Balancer]

docs/guide/gateway/spec.md

@@ -30,6 +30,8 @@ import (
 	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
 	"sigs.k8s.io/aws-load-balancer-controller/controllers/gateway"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/deploy"
+	gatewaypkg "sigs.k8s.io/aws-load-balancer-controller/pkg/gateway"
 	gateway_constants "sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/constants"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/referencecounter"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/routeutils"
@@ -119,6 +121,9 @@ type gatewayControllerConfig struct {
 	targetGroupCollector    awsmetrics.TargetGroupCollector
 	targetGroupARNMapper    shared_utils.TargetGroupARNMapper
 	certDiscovery           certs.CertDiscovery
+	cloudProvider           gatewaypkg.CloudProvider
+	stackDeployerFactoryALB func(cloud services.Cloud) deploy.StackDeployer
+	stackDeployerFactoryNLB func(cloud services.Cloud) deploy.StackDeployer
 }
 
 func main() {
@@ -198,7 +203,11 @@ func main() {
 
 	tgArnMapper := shared_utils.NewTargetGroupNameToArnMapper(cloud.ELBV2())
 
-	tgbResManager := targetgroupbinding.NewDefaultResourceManager(mgr.GetClient(), cloud.ELBV2(),
+	elbv2ForRegion := func(region string) (services.ELBV2, error) {
+		return aws.NewELBV2ForRegion(controllerCFG.AWSConfig, region, awsMetricsCollector, ctrl.Log.WithName("elbv2-"+region), aws.DefaultLbStabilizationTime)
+	}
+
+	tgbResManager := targetgroupbinding.NewDefaultResourceManager(mgr.GetClient(), cloud.ELBV2(), cloud.Region(), elbv2ForRegion,
 		podInfoRepo, networkingManager, vpcInfoProvider, multiClusterManager, lbcMetricsCollector,
 		cloud.VpcID(), controllerCFG.FeatureGates.Enabled(config.EndpointsFailOpen), controllerCFG.EnableEndpointSlices,
 		mgr.GetEventRecorderFor("targetGroupBinding"), ctrl.Log, controllerCFG.MaxTargetsPerTargetGroup)
@@ -263,6 +272,20 @@ func main() {
 		serviceReferenceCounter := referencecounter.NewServiceReferenceCounter()
 		certDiscovery := certs.NewACMCertDiscovery(cloud.ACM(), controllerCFG.IngressConfig.AllowedCertificateAuthorityARNs, ctrl.Log.WithName("gateway-cert-discovery"))
 
+		cloudProvider := gatewaypkg.NewDefaultCloudProvider(cloud, subnetResolver, vpcInfoProvider, controllerCFG.AWSConfig, controllerCFG, mgr.GetClient(), awsMetricsCollector, ctrl.Log.WithName("cloud-provider"))
+		// Use region-scoped networking SG manager and reconciler per cloud so the deployer lists/finds SGs and reconciles ingress in the target region (fixes cross-region Duplicate and DescribeSecurityGroups NotFound).
+		stackDeployerFactoryALB := func(c services.Cloud) deploy.StackDeployer {
+			deployLogger := ctrl.Log.WithName("deploy").WithName(c.Region())
+			networkingSGManagerForCloud := networking.NewDefaultSecurityGroupManager(c.EC2(), deployLogger)
+			sgReconcilerForCloud := networking.NewDefaultSecurityGroupReconciler(networkingSGManagerForCloud, deployLogger)
+			return deploy.NewDefaultStackDeployer(c, mgr.GetClient(), networkingManager, networkingSGManagerForCloud, sgReconcilerForCloud, elbv2deploy.NewDefaultTaggingManager(c.ELBV2(), c.VpcID(), controllerCFG.FeatureGates, c.RGT(), ctrl.Log), controllerCFG, gateway_constants.ALBGatewayTagPrefix, ctrl.Log, lbcMetricsCollector, gateway_constants.ALBGatewayController, true, targetGroupCollector, false)
+		}
+		stackDeployerFactoryNLB := func(c services.Cloud) deploy.StackDeployer {
+			deployLogger := ctrl.Log.WithName("deploy").WithName(c.Region())
+			networkingSGManagerForCloud := networking.NewDefaultSecurityGroupManager(c.EC2(), deployLogger)
+			sgReconcilerForCloud := networking.NewDefaultSecurityGroupReconciler(networkingSGManagerForCloud, deployLogger)
+			return deploy.NewDefaultStackDeployer(c, mgr.GetClient(), networkingManager, networkingSGManagerForCloud, sgReconcilerForCloud, elbv2deploy.NewDefaultTaggingManager(c.ELBV2(), c.VpcID(), controllerCFG.FeatureGates, c.RGT(), ctrl.Log), controllerCFG, gateway_constants.NLBGatewayTagPrefix, ctrl.Log, lbcMetricsCollector, gateway_constants.NLBGatewayController, true, targetGroupCollector, true)
+		}
 		gwControllerConfig := &gatewayControllerConfig{
 			cloud:                   cloud,
 			k8sClient:               mgr.GetClient(),
@@ -282,6 +305,9 @@ func main() {
 			targetGroupCollector:    targetGroupCollector,
 			targetGroupARNMapper:    tgArnMapper,
 			certDiscovery:           certDiscovery,
+			cloudProvider:           cloudProvider,
+			stackDeployerFactoryALB: stackDeployerFactoryALB,
+			stackDeployerFactoryNLB: stackDeployerFactoryNLB,
 		}
 
 		enabledControllers := sets.Set[string]{}
@@ -441,8 +467,8 @@ func main() {
 	}
 	corewebhook.NewServiceMutator(controllerCFG.ServiceConfig.LoadBalancerClass, ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
 	elbv2webhook.NewIngressClassParamsValidator(lbcMetricsCollector).SetupWithManager(mgr)
-	elbv2webhook.NewTargetGroupBindingMutator(cloud.ELBV2(), ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
-	elbv2webhook.NewTargetGroupBindingValidator(mgr.GetClient(), cloud.ELBV2(), cloud.VpcID(), ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
+	elbv2webhook.NewTargetGroupBindingMutator(cloud.ELBV2(), cloud.Region(), elbv2ForRegion, ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
+	elbv2webhook.NewTargetGroupBindingValidator(mgr.GetClient(), cloud.ELBV2(), cloud.Region(), elbv2ForRegion, cloud.VpcID(), ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
 	networkingwebhook.NewIngressValidator(mgr.GetClient(), controllerCFG.IngressConfig, ctrl.Log, lbcMetricsCollector).SetupWithManager(mgr)
 
 	// Setup GlobalAccelerator validator only if enabled
@@ -514,6 +540,8 @@ func setupGatewayController(ctx context.Context, mgr ctrl.Manager, cfg *gatewayC
 			cfg.reconcileCounters,
 			cfg.targetGroupCollector,
 			cfg.targetGroupARNMapper,
+			cfg.cloudProvider,
+			cfg.stackDeployerFactoryNLB,
 		)
 	case gateway_constants.ALBGatewayController:
 		reconciler = gateway.NewALBGatewayReconciler(
@@ -538,6 +566,8 @@ func setupGatewayController(ctx context.Context, mgr ctrl.Manager, cfg *gatewayC
 			cfg.reconcileCounters,
 			cfg.targetGroupCollector,
 			cfg.targetGroupARNMapper,
+			cfg.cloudProvider,
+			cfg.stackDeployerFactoryALB,
 		)
 	default:
 		return fmt.Errorf("unknown controller type: %s", controllerType)

helm/aws-load-balancer-controller/crds/gateway-crds.yaml

@@ -0,0 +1,83 @@
+package aws
+
+import (
+	"context"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/go-logr/logr"
+	"github.com/pkg/errors"
+	epresolver "sigs.k8s.io/aws-load-balancer-controller/pkg/aws/endpoints"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/provider"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
+	aws_metrics "sigs.k8s.io/aws-load-balancer-controller/pkg/metrics/aws"
+)
+
+// NewCloudForRegion creates a Cloud for the given region and vpcID without using EC2 metadata.
+// The base cfg is copied; only Region and VpcID are set. Use this when deploying to a non-default region.
+func NewCloudForRegion(cfg CloudConfig, region, vpcID string, clusterName string, metricsCollector *aws_metrics.Collector, logger logr.Logger, lbStabilizationTime time.Duration) (services.Cloud, error) {
+	cfgForRegion := cfg
+	cfgForRegion.Region = region
+	cfgForRegion.VpcID = vpcID
+	return NewCloud(cfgForRegion, clusterName, metricsCollector, logger, nil, lbStabilizationTime)
+}
+
+// NewEC2ClientForRegion returns an EC2 client configured for the given region.
+// Used for VPC resolution (e.g. DescribeVpcs, DescribeSubnets) in that region before creating a full Cloud.
+func NewEC2ClientForRegion(cfg CloudConfig, region string, metricsCollector *aws_metrics.Collector, logger logr.Logger) (services.EC2, error) {
+	awsClientsProvider, err := newClientsProviderForRegion(cfg, region, metricsCollector)
+	if err != nil {
+		return nil, err
+	}
+	return services.NewEC2(awsClientsProvider), nil
+}
+
+// NewELBV2ForRegion returns an ELBV2 client configured for the given region.
+// Used by webhooks and model builders that need to describe/validate resources in a non-default region.
+// This does not require a VPC ID or full Cloud — only the region is needed for API calls like DescribeTargetGroups.
+func NewELBV2ForRegion(cfg CloudConfig, region string, metricsCollector *aws_metrics.Collector, logger logr.Logger, lbStabilizationTime time.Duration) (services.ELBV2, error) {
+	awsClientsProvider, err := newClientsProviderForRegion(cfg, region, metricsCollector)
+	if err != nil {
+		return nil, err
+	}
+	cloud := &regionStubCloud{region: region}
+	elbv2 := services.NewELBV2(awsClientsProvider, cloud, lbStabilizationTime)
+	cloud.elbv2 = elbv2
+	return elbv2, nil
+}
+
+func newClientsProviderForRegion(cfg CloudConfig, region string, metricsCollector *aws_metrics.Collector) (provider.AWSClientsProvider, error) {
+	cfgForRegion := cfg
+	cfgForRegion.Region = region
+	endpointsResolver := epresolver.NewResolver(cfgForRegion.AWSEndpoints)
+	configGenerator := NewAWSConfigGenerator(cfgForRegion, imds.EndpointModeStateIPv4, metricsCollector)
+	awsConfig, err := configGenerator.GenerateAWSConfig()
+	if err != nil {
+		return nil, err
+	}
+	return provider.NewDefaultAWSClientsProvider(awsConfig, endpointsResolver)
+}
+
+// regionStubCloud is a minimal Cloud implementation used only by NewELBV2ForRegion.
+// Only Region() and ELBV2() are meaningful; other methods are unused by the ELBV2 client
+// for basic operations like DescribeTargetGroups.
+type regionStubCloud struct {
+	region string
+	elbv2  services.ELBV2
+}
+
+func (c *regionStubCloud) Region() string                                { return c.region }
+func (c *regionStubCloud) VpcID() string                                 { return "" }
+func (c *regionStubCloud) ELBV2() services.ELBV2                         { return c.elbv2 }
+func (c *regionStubCloud) EC2() services.EC2                             { return nil }
+func (c *regionStubCloud) ACM() services.ACM                             { return nil }
+func (c *regionStubCloud) WAFv2() services.WAFv2                         { return nil }
+func (c *regionStubCloud) WAFRegional() services.WAFRegional             { return nil }
+func (c *regionStubCloud) Shield() services.Shield                       { return nil }
+func (c *regionStubCloud) RGT() services.RGT                             { return nil }
+func (c *regionStubCloud) GlobalAccelerator() services.GlobalAccelerator { return nil }
+func (c *regionStubCloud) GetAssumedRoleELBV2(_ context.Context, _ string, _ string) (services.ELBV2, error) {
+	return nil, errors.New("AssumeRole is not supported for cross-region stub cloud; use a full Cloud instead")
+}
+
+var _ services.Cloud = &regionStubCloud{}