kubernetes-sigs
diff --git a/‎docs/deploy/configurations.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/deploy/configurations.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/guide/globalaccelerator/aga-controller.md‎
Lines changed: 289 additions & 0 deletions b/‎docs/guide/globalaccelerator/aga-controller.md‎
Lines changed: 289 additions & 0 deletions
@@ -190,5 +190,6 @@ There are a set of key=value pairs that describe AWS load balancer controller fe
 | NLBSecurityGroup                      | string                          | true         | Enable or disable all NLB security groups actions including frontend sg creation, backend sg creation, and backend sg modifications. This same behavior is able to be applied to an individual service by using the annotation `aws-load-balancer-disable-nlb-sg` |
 | LBCapacityReservation                 | string                          | true         | Enable or disable the capacity reservation feature on ALB and NLB                                                                                                                                                                                                 |
 | EnableTCPUDPListenerType              | string                          | false        | Enable or disable creation of TCP_UDP type listeners. This value can be overriden at the Service level by  the annotation `service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener`                                                                  |
+| AGAController                         | string                          | false        | Enable the Global Accelerator controller for managing AWS Global Accelerator resources through Kubernetes CRDs                                                                                                                                                    |
 | EnhancedDefaultBehavior              | string                          | false        | Enable this feature to allow the controller to remove Provisioned Capacity or mTLS settings by removing the corresponding annotation.                                                                                                                             |
 | EnableDefaultTagsLowPriority          | string                          | false        | If enabled, tags supplied via `--default-tags` will be overridden by tags specified in other manners, like via annotations.                            |
@@ -0,0 +1,289 @@
+# AWS Global Accelerator Controller
+
+## Introduction
+
+AWS Global Accelerator (AGA) is a networking service that improves the performance of users' traffic by up to 60% using Amazon Web Services' global network infrastructure. The AWS Load Balancer Controller (LBC) extends its capabilities with a new AGA Controller that allows users to declaratively manage AWS Global Accelerator resources using Kubernetes Custom Resource Definitions (CRDs).
+
+This feature bridges a significant operational gap - traditionally, AWS Global Accelerator must be manually created and managed through the AWS console or CLI, creating operational overhead and lacking integration with Kubernetes-native workflows. The AGA Controller eliminates this gap by enabling full lifecycle management of Global Accelerator resources directly from your Kubernetes cluster.
+
+## Architecture
+
+The AGA Controller operates as a continuous reconciliation loop within the AWS Load Balancer Controller, watching for changes to the `GlobalAccelerator` CRD. When it detects a change, it:
+
+1. Translates the desired state defined in the CRD into corresponding AWS Global Accelerator API calls
+2. Automatically discovers resources like Elastic Load Balancers (ELBs) referenced by Kubernetes Services, Ingresses, and Gateway APIs
+3. Maintains and updates the status of the AGA resources in the CRD
+4. Handles cleanup and resource deletion when objects are removed
+
+## Key Features
+
+### Monolithic CRD Design
+
+The controller uses a single `GlobalAccelerator` resource to manage the entire AGA hierarchy, including:
+
+- The accelerator itself
+- Listeners with protocol and port range configurations
+- Endpoint groups with region and traffic dial settings
+- Endpoints from different Kubernetes resource types
+
+This design simplifies management by keeping all configuration in one place while still allowing granular control over each component.
+
+### Full Lifecycle Management (CRUD)
+
+The controller manages the complete lifecycle of AWS Global Accelerator resources:
+
+- **Create**: Provisions new AWS Global Accelerator resources from CRD specifications
+- **Read**: Updates CRD status with current state and ARNs from AWS
+- **Update**: Modifies existing accelerator configurations when the CRD is updated
+- **Delete**: Cleans up AWS resources when the CRD is deleted
+
+### Extended Endpoint Discovery
+
+The AGA Controller supports automatic endpoint resolution from multiple Kubernetes resource types in the local cluster:
+
+- **Service resources**: Discovers Network Load Balancers (NLBs) from Service type LoadBalancer
+- **Ingress resources**: Discovers Application Load Balancers (ALBs) from Ingress resources
+- **Gateway API resources**: Discovers ALBs and NLBs from Gateway API resources
+
+### Auto-Discovery for One-Click Accelerators
+
+For simple use cases, the controller offers an auto-discovery feature that automatically configures listener protocol and port ranges based on the referenced endpoints. This creates a one-click experience similar to what's available in the ELB console:
+
+```yaml
+kind: GlobalAccelerator
+metadata:
+  name: autodiscovery-accelerator
+  namespace: test-ns
+spec:
+  name: "autodiscovery-test-accelerator"
+  listeners:
+    - # Protocol and portRanges will be auto-discovered from the endpoint
+      endpointGroups:
+        - endpoints:
+            - type: Ingress
+              name: web-ingress
+              weight: 200
+```
+
+### Manual Endpoint Registration
+
+For more advanced use cases, you can manually specify endpoint ARNs instead of using auto-discovery:
+
+```yaml
+spec:
+  listeners:
+    - protocol: TCP
+      portRanges:
+        - fromPort: 443
+          toPort: 443
+      endpointGroups:
+        - endpoints:
+            - type: EndpointID
+              endpointID: arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/1234567890123456
+```
+
+> **Note:** While auto-discovery currently only works within the same AWS region as the controller, you can manually specify endpoints in other regions by explicitly setting the region field and providing the endpoint ARN. For cross-region configurations, you must manually specify the protocol and port ranges as well:
+>
+> ```yaml
+> listeners:
+>   - protocol: TCP  # Must explicitly specify protocol
+>     portRanges:    # Must explicitly specify port ranges
+>       - fromPort: 443
+>         toPort: 443
+>     endpointGroups:
+>       - region: us-west-2  # Explicitly set a different region
+>         endpoints:
+>           - type: EndpointID
+>             endpointID: arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/1234567890123456
+> ```
+
+### BYOIP (Bring Your Own IP) Support
+
+The AWS Global Accelerator Controller supports Bring Your Own IP (BYOIP) functionality with some important constraints:
+
+1. **Creation-Only Feature**: BYOIP addresses can only be specified during the initial creation of an accelerator.
+
+2. **No Updates Allowed**: IP addresses cannot be updated after an accelerator has been created. If you need to change IP addresses, you must create a new accelerator.
+
+3. **Handling Update Attempts**: If users attempt to modify IP addresses on an existing accelerator, the controller will log this as an invalid operation and ignore the IP address changes, preserving the original configuration.
+
+For BYOIP usage, specify the addresses in the `ipAddresses` field of your GlobalAccelerator resource:
+
+```yaml
+spec:
+  ipAddressType: IPV4
+  ipAddresses:
+    - "198.51.100.10"  # Your own IP from BYOIP pool
+```
+
+### Status Reporting
+
+The controller updates the CRD status with important information from the AWS Global Accelerator:
+
+- The Accelerator's ARN for reference in other systems
+- The assigned DNS name for client access
+- IP address sets for both IPv4 and dual-stack configurations
+- The current state of the accelerator (deployed, in progress, etc.)
+- Conditions reflecting the health and status of the reconciliation process
+
+#### Accelerator Status States
+
+The `status.status` field in the GlobalAccelerator CRD reflects the current state of the accelerator in AWS. This field can have the following values:
+
+- **DEPLOYED**: The accelerator is fully deployed and operational
+- **IN_PROGRESS**: The accelerator is being created or updated
+- **FAILED**: The accelerator creation or update has failed
+
+When an accelerator is first created, it will typically show as IN_PROGRESS and then transition to DEPLOYED once fully provisioned. During updates, it may temporarily show as IN_PROGRESS again.
+
+If the status shows FAILED, check the controller logs and the `status.conditions` field for more detailed error information.
+
+## Intelligent Listener Management
+
+The AGA Controller intelligently manages AWS Global Accelerator listeners to minimize service disruption during reconciliation. The controller:
+
+1. Preserves existing listeners when possible to maintain stable ARNs and associated resources
+2. Manages conflicts carefully to ensure smooth transitions during updates
+3. Optimizes the operation order to minimize downtime and maintain traffic flow
+
+This approach ensures reliable service while making necessary changes to your Global Accelerator configuration.
+
+## Port Override Constraints and Solutions
+
+AWS Global Accelerator imposes several constraints on port overrides that the controller handles automatically:
+
+### Constraint 1: Listener Port Must Be Within Listener's Port Ranges
+
+**Solution**: The controller validates port overrides during model building and removes invalid ones during reconciliation.
+
+### Constraint 2: Endpoint Port Can't Overlap With ANY Listener Port Ranges
+
+**Solution**: Cross-validation checks endpoint ports against all listener port ranges and removes overlapping configurations.
+
+### Constraint 3: No Duplicate Endpoint Ports Across Listeners
+
+**Solution**: The controller tracks all endpoint ports across the accelerator to ensure uniqueness.
+
+## Sample CRDs
+
+### Basic Global Accelerator with Single TCP Port
+
+```yaml
+apiVersion: aga.k8s.aws/v1beta1
+kind: GlobalAccelerator
+metadata:
+  name: simple-accelerator
+  namespace: default
+spec:
+  name: "simple-accelerator"
+  ipAddressType: IPV4
+  tags:
+    Environment: "production"
+  listeners:
+    - protocol: TCP
+      portRanges:
+        - fromPort: 80
+          toPort: 80
+      clientAffinity: NONE
+```
+
+### Multiple Port Ranges with Source IP Affinity
+
+```yaml
+apiVersion: aga.k8s.aws/v1beta1
+kind: GlobalAccelerator
+metadata:
+  name: multi-port-accelerator
+  namespace: default
+spec:
+  ipAddressType: IPV4
+  listeners:
+    - protocol: TCP
+      portRanges:
+        - fromPort: 80
+          toPort: 80
+        - fromPort: 443
+          toPort: 443
+      clientAffinity: SOURCE_IP
+```
+
+### Complex Configuration with Multiple Listeners and Endpoints
+
+```yaml
+apiVersion: aga.k8s.aws/v1beta1
+kind: GlobalAccelerator
+metadata:
+  name: complex-accelerator
+  namespace: default
+spec:
+  ipAddressType: IPV4
+  tags:
+    Environment: "test"
+    Team: "platform"
+  listeners:
+    - protocol: TCP
+      portRanges:
+        - fromPort: 80
+          toPort: 80
+        - fromPort: 443
+          toPort: 443
+      clientAffinity: SOURCE_IP
+      endpointGroups:
+        - trafficDialPercentage: 100
+          portOverrides:
+            - endpointPort: 8081
+              listenerPort: 80
+          endpoints:
+            - type: Service
+              name: service-nlb-1
+              weight: 128
+              clientIPPreservationEnabled: true
+            - type: Ingress
+              name: test-ingress
+              weight: 240
+    - protocol: UDP
+      portRanges:
+        - fromPort: 53
+          toPort: 53
+      clientAffinity: NONE
+```
+
+## Troubleshooting
+
+Common issues and their solutions:
+
+### Status Shows Failure
+
+Check the controller logs for detailed error messages:
+
+```bash
+kubectl logs -n kube-system -l app.kubernetes.io/name=aws-load-balancer-controller
+```
+
+### Endpoint Discovery Not Working
+
+Ensure your Service/Ingress/Gateway resources:
+
+1. Are properly configured with correct annotations
+2. Have been successfully provisioned with actual AWS load balancers
+3. Are in the same namespace as specified in the endpoint
+
+### Port Override Conflicts
+
+If port overrides are being automatically removed, check for these common issues:
+
+1. Listener port not within listener's port ranges
+2. Endpoint port overlapping with a listener port range
+3. Duplicate endpoint ports across different listeners
+
+## Current Limitations and Future Enhancements
+
+### Cross-Namespace Reference Limitations
+
+The initial release of the AWS Global Accelerator Controller does not support cross-namespace endpoint references. This means that all endpoint resources (Services, Ingresses, Gateways) must be in the same namespace as the GlobalAccelerator resource that references them.
+
+## References
+
+- [AWS Global Accelerator Documentation](https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html)
+- [GlobalAccelerator CRD Reference](spec.md)
+- [AWS Load Balancer Controller Installation](../../deploy/installation.md)