ServiceExport with ExportedPorts Ignores TargetGroupPolicy Protocol Settings #853
Description
Describe the bug
When using ServiceExport with the exportedPorts field, TargetGroupPolicy protocol and protocolVersion settings are ignored. The target group is created using only the default protocol inferred from the routeType field, preventing users from configuring HTTPS or other non-default protocols for their exported services.
To Reproduce
Steps to reproduce the behavior:
- Create a Kubernetes Service:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: default
spec:
ports:
- port: 80
targetPort: 8080
selector:
app: my-app- Create a ServiceExport with exportedPorts specifying HTTP routeType:
apiVersion: application-networking.k8s.aws/v1alpha1
kind: ServiceExport
metadata:
name: my-service
namespace: default
annotations:
application-networking.k8s.aws/federation: "amazon-vpc-lattice"
spec:
exportedPorts:
- port: 80
routeType: HTTP- Apply a TargetGroupPolicy to override the protocol to HTTPS:
apiVersion: application-networking.k8s.aws/v1alpha1
kind: TargetGroupPolicy
metadata:
name: https-override
namespace: default
spec:
targetRef:
group: "application-networking.k8s.aws"
kind: ServiceExport
name: my-service
protocol: HTTPS
protocolVersion: HTTP2
healthCheck:
enabled: true
path: "/health"
protocol: HTTPS
protocolVersion: HTTP2- Check the created VPC Lattice target group configuration:
# Get target group details
aws vpc-lattice list-target-groups --query 'items[?contains(name, `my-service`)]'
aws vpc-lattice get-target-group --target-group-identifier <tg-id>- Observe that the target group uses HTTP/HTTP1 protocol instead of HTTPS/HTTP2
Expected behavior
The VPC Lattice target group should be created with the protocol and protocolVersion specified in the TargetGroupPolicy (HTTPS/HTTP2), not the default protocol inferred from the ServiceExport routeType (HTTP/HTTP1).
The TargetGroupPolicy should override the default protocol settings, allowing users to:
- Configure HTTPS for secure communication between VPC Lattice and backend pods
- Use HTTP2 or GRPC protocol versions
- Apply custom protocol configurations regardless of the routeType
Actual behavior
The target group is created with:
- Protocol: HTTP (from routeType)
- ProtocolVersion: HTTP1 (default)
The TargetGroupPolicy protocol and protocolVersion settings are completely ignored.
Impact
This bug prevents users from:
- Enabling HTTPS communication between VPC Lattice and backend services
- Using advanced protocol features like HTTP2 or GRPC
Root Cause
The buildTargetGroupForExportedPort method in pkg/gateway/model_build_targetgroup.go was only extracting health check configuration from the TargetGroupPolicy but not parsing or applying the protocol and protocolVersion fields.
The method would:
- Determine default protocol from routeType (HTTP → HTTP/HTTP1, GRPC → HTTP/GRPC, TLS → TCP)
- Retrieve TargetGroupPolicy if present
- Extract ONLY health check config from the policy
- Create target group spec with default protocol (ignoring policy protocol settings)
Testing Requirements
Unit tests should cover:
- HTTPS protocol override with HTTP2
- HTTP1 protocol version override
- Backward compatibility (no policy applied)
Integration tests should verify:
- Target groups are created with correct protocol from TargetGroupPolicy
- Protocol overrides work across ServiceExport recreation
- Health check configuration is also applied correctly