[feat aga] Add documentation for AGA controller

[shraddhabang]

This PR adds documentation for the AWS Global Accelerator (AGA) Controller feature.

• Add installation guide with CRD installation steps and feature flag requirements
• Document IAM permissions required for the Global Accelerator controller
• Clarify cross-region support limitations and auto-discovery capabilities
• Add configuration options and feature flag details
• Document AWS partition availability (standard partition only)

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[wweiwei-li]

do we want to also mention we support manual specification (direct ARN as endpointID)

[shraddhabang]

Yes. Good point I can update it.

[shraddhabang]

Yes. Good catch.

[wweiwei-li]

Nit: I am thinking Extended Endpoint Discovery and Auto-Discovery for One-Click Accelerators consolidate to one auto discovery. They're the same auto-discovery feature just focusing on different aspects (endpoint versus listener and port). Maybe it is partial used based on their crd config. but looks to me it is same thing. What do you think.

[emdelaney]

Agree; "Automatic Endpoint Discovery" sounds great as a combined heading.

[shraddhabang]

All right. let me rewrite this to capture this better.

[wweiwei-li]

thinking if we want to add some prerequisites. For example, link to how they provision IP address range with Global Accelerator - https://docs.aws.amazon.com/global-accelerator/latest/dg/using-byoip.html.

Also, if we want to clarify No Updates Allowed is controller limitation.

[shraddhabang]

Agreed. Good point.

[wweiwei-li]

do we want to also mention RBAC config needed for controller to have permissions to manage AGA resources

[shraddhabang]

Required RBACs will be updated automatically when they upgrade to latest version. That we dont have conditional. So we dont need to specify that.

[emdelaney]

I'd highlight AWS Load Balancer Controller Ingress, Service, and Gateway resources specifically here as supported endpoint types

[emdelaney]

Agree; "Automatic Endpoint Discovery" sounds great as a combined heading.

[emdelaney]

Let's be specific and say that to use multiple regions, you can specify endpoint ARNs, instead of 'advanced use cases'.

[shraddhabang]

Got it.

[emdelaney]

The DNS name is a courtesy; because AWS Global Accelerator operates at layer 3/4 (TCP/UDP), you don't need to use it. So I'd call this "The default DNS name for the accelerator."

Also, do we want to provide the dual stack DNS name, if available, in another field? https://docs.aws.amazon.com/global-accelerator/latest/api/API_Accelerator.html#globalaccelerator-Type-Accelerator-DualStackDnsName

[shraddhabang]

Yes.

[emdelaney]

Not sure this is super relevant / useful to users of the system; we might want to highlight when to use port overrides (when you plan to support both direct access to the endpoint, and also access over AGA): https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoint-groups-port-override.html

[shraddhabang]

Makes sense. Let me update this.

[emdelaney]

Let's call this the AWS Global Accelerator Developer Guide

[emdelaney]

...is only available in the commercial aws partition. It is not available in other partitions such as the AWS GovCoud (aws-us-gov) or AWS China (aws-cn) partitions.

(ref: https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/partitions.html )

[emdelaney]

What limits do you want to highlight? (Maybe 10 ALBs or NLBs per endpoint group, and 20 accelerators per account?)

[shraddhabang]

Yes. Just the overall limits so directed them to the service quota page.

[emdelaney]

Got it, we can probably remove this sentence then, and just leave the line with the link to the maintained service quotas documentation?

[emdelaney]

Might be worth highlighting that this is a scoped-down (RBAC) version of the GlobalAcceleratorFullAccess policy: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/GlobalAcceleratorFullAccess.html

[shraddhabang]

Scoped down version GlobalAcceleratorFullAccess will get full access to all the resources. While our IAM policy is tag based.

[emdelaney]

Some customers are sensitive about IAM create permissions; it's also fine to pre-create the role outside of k8s automation as well. Not sure if we want to highlight that here or not. (not is simpler.)

[shraddhabang]

We have given the same policy for our ELB service as well. So the customers are aware of this. These are anyway recommended policies. If the customer wants, they can always remove this from their policies. This is pretty common practice to use our controller.

[shraddhabang]

/retest

[emdelaney]

Got it, we can probably remove this sentence then, and just leave the line with the link to the maintained service quotas documentation?

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: emdelaney, shraddhabang, wweiwei-li

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [shraddhabang,wweiwei-li]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment