From 4e8e56350e6e757a027b090e7230de83938c1b19 Mon Sep 17 00:00:00 2001
From: Aaron Levy <aaronmaxlevy@gmail.com>
Date: Mon, 3 Mar 2025 14:41:45 -0800
Subject: [PATCH] Adding annotation to enable Global Access for L7 ILBs

---
 pkg/annotations/ingress.go            |  3 +++
 pkg/loadbalancers/forwarding_rules.go |  4 +++-
 pkg/utils/utils.go                    | 12 ++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/pkg/annotations/ingress.go b/pkg/annotations/ingress.go
index 58f1e1a49b..dd94a31135 100644
--- a/pkg/annotations/ingress.go
+++ b/pkg/annotations/ingress.go
@@ -56,6 +56,9 @@ const (
 	// to the target proxies of the Ingress.
 	PreSharedCertKey = "ingress.gcp.kubernetes.io/pre-shared-cert"
 
+	// ILBGlobalAccessKey is the annotation key used to enable Global Access for the L7 ILB Forwarding Rule
+	ILBGlobalAccessKey = "ingress.gcp.kubernetes.io/ilb-allow-global-access"
+
 	// IngressClassKey picks a specific "class" for the Ingress. The controller
 	// only processes Ingresses with this annotation either unset, or set
 	// to either gceIngressClass or the empty string.
diff --git a/pkg/loadbalancers/forwarding_rules.go b/pkg/loadbalancers/forwarding_rules.go
index 8142da0b2c..34109a779f 100644
--- a/pkg/loadbalancers/forwarding_rules.go
+++ b/pkg/loadbalancers/forwarding_rules.go
@@ -103,8 +103,10 @@ func (l7 *L7) checkForwardingRule(protocol namer.NamerProtocol, name, proxyLink,
 	env := &translator.Env{VIP: ip, Network: l7.cloud.NetworkURL(), Subnetwork: l7.cloud.SubnetworkURL()}
 	fr := tr.ToCompositeForwardingRule(env, protocol, version, proxyLink, description, l7.runtimeInfo.StaticIPSubnet)
 
+	fr.AllowGlobalAccess = utils.IsGCEL7ILBIngressGlobalAccessEnabled(&l7.ingress)
+	
 	existing, _ = composite.GetForwardingRule(l7.cloud, key, version, l7.logger)
-	if existing != nil && (fr.IPAddress != "" && existing.IPAddress != fr.IPAddress || existing.PortRange != fr.PortRange) {
+	if existing != nil && (fr.IPAddress != "" && existing.IPAddress != fr.IPAddress || existing.PortRange != fr.PortRange || existing.AllowGlobalAccess != fr.AllowGlobalAccess) {
 		l7.logger.Info("Recreating forwarding rule %v(%v), so it has %v(%v)",
 			"existingIp", existing.IPAddress, "existingPortRange", existing.PortRange,
 			"targetIp", fr.IPAddress, "targetPortRange", fr.PortRange)
diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
index 50236df75b..6070c3acc7 100644
--- a/pkg/utils/utils.go
+++ b/pkg/utils/utils.go
@@ -505,6 +505,18 @@ func IsGCEL7ILBIngress(ing *networkingv1.Ingress) bool {
 	return class == annotations.GceL7ILBIngressClass
 }
 
+// IsGCEL7ILBIngressGlobalAccessEnabled returns true if the given Ingress has
+// ingress.class annotation set to "gce-l7-ilb" and has Global Access enabled
+func IsGCEL7ILBIngressGlobalAccessEnabled(ing *networkingv1.Ingress) bool {
+	if !IsGCEL7ILBIngress(ing) {
+		return false
+	}
+	if ilbGlobalAccess, ilbGAExists := ing.Annotations[annotations.ILBGlobalAccessKey]; ilbGAExists && ilbGlobalAccess == "true" {
+		return true
+	}
+	return false
+}
+
 // IsGCEL7XLBRegionalIngress returns true if the given Ingress has
 // ingress.class annotation set to "gce-regional-external"
 func IsGCEL7XLBRegionalIngress(ing *networkingv1.Ingress) bool {