Feature Request: Configure AWS RAM Sharing for VPC Lattice Services via AWS Gateway API CRDs

[d-padmanabhan]

Currently, the AWS Gateway API Controller allows us to create and manage AWS VPC Lattice Services by defining Kubernetes HTTPRoute resources. However, a common requirement is to share these VPC Lattice Services with other AWS accounts (service consumers) using AWS Resource Access Manager (RAM). The current workflow requires manual intervention or separate automation after the VPC Lattice Service has been created by the controller:

• Deploy the HTTPRoute.
• Wait for the controller to reconcile and create the VPC Lattice Service in AWS.
• Manually find the ARN of the created VPC Lattice Service from Console/API.
• Manually create a RAM ResourceShare via the AWS Console, CLI, SDK, or another tool (like the ACK RAM Controller, which also requires the ARN upfront - see CRD reference).

This breaks the declarative Kubernetes workflow and introduces manual steps or complex external automation to bridge the gap between the Gateway API Controller creating the service and RAM sharing it.

It would be highly beneficial if we could configure the RAM sharing directly within the Kubernetes resources managed by the AWS Gateway API Controller. This could potentially be implemented via:

• Annotations: Adding specific annotations to the HTTPRoute resource (or perhaps the parent Gateway resource) to specify the target principals (AWS Account IDs, Org IDs, OU IDs) and optionally the RAM managed permission ARN to associate.
  • Example Annotation: application-networking.k8s.aws/ram-share-principals: "111122223333,arn:aws:organizations::123456789012:organization/o-xxxxxxxxxx"
    Example Annotation: application-networking.k8s.aws/ram-share-permission-arn: "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionVpcLatticeService" (or default if omitted)
• Spec Fields: Adding dedicated fields within the HTTPRouteSpec (or GatewaySpec) to configure RAM sharing details.
  • The controller would then be responsible for:
  • Creating the VPC Lattice Service based on the HTTPRoute.
  • Creating/managing the corresponding RAM ResourceShare based on the annotations/spec fields, using the ARN of the service it just created.

Alternatives we've considered:

Manual Configuration: Using AWS Console/CLI/SDK after the service is created (current workaround, not ideal).
ACK RAM Controller: Requires knowing the ARN beforehand, which isn't available declaratively when the HTTPRoute is defined.
Custom Controller: Building a separate controller to watch HTTPRoute resources, find the ARN, and manage the RAM share (complex).
Sharing the Service Network: Sharing the parent ServiceNetwork via RAM is possible, but doesn't provide granular control over sharing individual services derived from HTTPRoutes.

Additional context

Integrating RAM share configuration directly into the Gateway API Controller's workflow would significantly streamline the process of exposing services managed via Kubernetes to consumers in other accounts using VPC Lattice, keeping the management within the Kubernetes declarative model.

Thank you for considering this feature request

[rlymbur]

As a workaround, we have decided to prioritize #691 and surface the service ARN to alleviate the need to support full RAM sharing within the controller.