Initial changes and unit tests

Ryan Lymburner · Ryan Lymburner · commit 49d56fddbe48 · 2025-05-27T13:52:15.000-07:00
diff --git a/config/crds/bases/application-networking.k8s.aws_serviceexports.yaml b/config/crds/bases/application-networking.k8s.aws_serviceexports.yaml
@@ -38,6 +38,37 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: spec defines the desired state of ServiceExport
+            properties:
+              exportedPorts:
+                description: |-
+                  exportedPorts defines which ports of the service should be exported and what route types they should be used with.
+                  If not specified, the controller will use the port from the annotation "application-networking.k8s.aws/port"
+                  and create HTTP target groups for backward compatibility.
+                items:
+                  description: ExportedPort defines a port to be exported and the
+                    route type it should be used with
+                  properties:
+                    port:
+                      description: port is the port number to export
+                      format: int32
+                      type: integer
+                    routeType:
+                      description: |-
+                        routeType is the type of route this port should be used with
+                        Valid values are "HTTP", "GRPC", "TLS"
+                      enum:
+                      - HTTP
+                      - GRPC
+                      - TLS
+                      type: string
+                  required:
+                  - port
+                  - routeType
+                  type: object
+                type: array
+            type: object
           status:
             description: |-
               status describes the current state of an exported service.
diff --git a/docs/api-types/service-export.md b/docs/api-types/service-export.md
@@ -12,21 +12,34 @@ for example, using target groups in the VPC Lattice setup outside Kubernetes.
 Note that ServiceExport is not the implementation of Kubernetes [Multicluster Service APIs](https://multicluster.sigs.k8s.io/concepts/multicluster-services-api/);
 instead AWS Gateway API Controller uses its own version of the resource for the purpose of Gateway API integration.
 
-
-### Limitations
-* The exported Service can only be used in HTTPRoutes. GRPCRoute is currently not supported.
-* Limited to one ServiceExport per Service. If you need multiple exports representing each port,
-  you should create multiple Service-ServiceExport pairs.
-
-### Annotations
+### Annotations (Legacy Method)
 
 * `application-networking.k8s.aws/port`  
   Represents which port of the exported Service will be used.
   When a comma-separated list of ports is provided, the traffic will be distributed to all ports in the list.
+  
+  **Note:** This annotation is supported for backward compatibility. For new deployments, it's recommended to use the `spec.exportedPorts` field instead.
+
+## Spec Fields
+
+### exportedPorts
+
+The `exportedPorts` field allows you to explicitly define which ports of the service should be exported and what route types they should be used with. This is useful when you have a service with multiple ports serving different protocols.
 
-## Example Configuration
+Each exported port has the following fields:
+* `port`: The port number to export
+* `routeType`: The type of route this port should be used with. Valid values are:
+  * `HTTP`: For HTTP traffic
+  * `GRPC`: For gRPC traffic
+  * `TLS`: For TLS traffic
 
-The following yaml will create a ServiceExport for a Service named `service-1`:
+If `exportedPorts` is not specified, the controller will use the port from the annotation "application-networking.k8s.aws/port" and create HTTP target groups for backward compatibility.
+
+## Example Configurations
+
+### Legacy Configuration (Using Annotations)
+
+The following yaml will create a ServiceExport for a Service named `service-1` using the legacy annotation method:
 ```yaml
 apiVersion: application-networking.k8s.aws/v1alpha1
 kind: ServiceExport
@@ -36,3 +49,23 @@ metadata:
     application-networking.k8s.aws/port: "9200"
 spec: {}
 ```
+
+### Using exportedPorts
+
+The following yaml will create a ServiceExport for a Service named `service-1` with multiple ports for different route types:
+```yaml
+apiVersion: application-networking.k8s.aws/v1alpha1
+kind: ServiceExport
+metadata:
+  name: service-1
+spec:
+  exportedPorts:
+  - port: 80
+    routeType: HTTP
+  - port: 8081
+    routeType: GRPC
+```
+
+This configuration will:
+1. Export port 80 to be used with HTTP routes
+2. Export port 8081 to be used with gRPC routes
diff --git a/files/examples/inventory-ver2-export.yaml b/files/examples/inventory-ver2-export.yaml
@@ -4,3 +4,7 @@ metadata:
   name: inventory-ver2
   annotations:
     application-networking.k8s.aws/federation: "amazon-vpc-lattice"
+spec:
+  exportedPorts:
+  - port: 80
+    routeType: HTTP
diff --git a/files/examples/multi-protocol-service-export.yaml b/files/examples/multi-protocol-service-export.yaml
@@ -0,0 +1,14 @@
+apiVersion: application-networking.k8s.aws/v1alpha1
+kind: ServiceExport
+metadata:
+  name: multi-protocol-service
+  annotations:
+    application-networking.k8s.aws/federation: "amazon-vpc-lattice"
+spec:
+  exportedPorts:
+  - port: 80
+    routeType: HTTP
+  - port: 8081
+    routeType: GRPC
+  - port: 443
+    routeType: TLS
diff --git a/files/examples/service-1-export.yaml b/files/examples/service-1-export.yaml
@@ -4,3 +4,7 @@ metadata:
   name: service-1
   annotations:
     application-networking.k8s.aws/federation: "amazon-vpc-lattice"
+spec:
+  exportedPorts:
+  - port: 80
+    routeType: HTTP
diff --git a/files/examples/service-2-export.yaml b/files/examples/service-2-export.yaml
@@ -4,3 +4,7 @@ metadata:
   name: service-2
   annotations:
     application-networking.k8s.aws/federation: "amazon-vpc-lattice"
+spec:
+  exportedPorts:
+  - port: 80
+    routeType: HTTP
diff --git a/files/examples/tls-rate2-export.yaml b/files/examples/tls-rate2-export.yaml
@@ -3,4 +3,8 @@ kind: ServiceExport
 metadata:
   name: tls-rate2
   annotations:
-    application-networking.k8s.aws/federation: "amazon-vpc-lattice"
+    application-networking.k8s.aws/federation: "amazon-vpc-lattice"
+spec:
+  exportedPorts:
+  - port: 443
+    routeType: TLS
diff --git a/helm/crds/application-networking.k8s.aws_serviceexports.yaml b/helm/crds/application-networking.k8s.aws_serviceexports.yaml
@@ -38,6 +38,37 @@ spec:
             type: string
           metadata:
             type: object
+          spec:
+            description: spec defines the desired state of ServiceExport
+            properties:
+              exportedPorts:
+                description: |-
+                  exportedPorts defines which ports of the service should be exported and what route types they should be used with.
+                  If not specified, the controller will use the port from the annotation "application-networking.k8s.aws/port"
+                  and create HTTP target groups for backward compatibility.
+                items:
+                  description: ExportedPort defines a port to be exported and the
+                    route type it should be used with
+                  properties:
+                    port:
+                      description: port is the port number to export
+                      format: int32
+                      type: integer
+                    routeType:
+                      description: |-
+                        routeType is the type of route this port should be used with
+                        Valid values are "HTTP", "GRPC", "TLS"
+                      enum:
+                      - HTTP
+                      - GRPC
+                      - TLS
+                      type: string
+                  required:
+                  - port
+                  - routeType
+                  type: object
+                type: array
+            type: object
           status:
             description: |-
               status describes the current state of an exported service.
diff --git a/pkg/apis/applicationnetworking/v1alpha1/serviceexport_types.go b/pkg/apis/applicationnetworking/v1alpha1/serviceexport_types.go
@@ -30,6 +30,9 @@ type ServiceExport struct {
 	apimachineryv1.TypeMeta `json:",inline"`
 	// +optional
 	apimachineryv1.ObjectMeta `json:"metadata,omitempty"`
+	// spec defines the desired state of ServiceExport
+	// +optional
+	Spec ServiceExportSpec `json:"spec,omitempty"`
 	// status describes the current state of an exported service.
 	// Service configuration comes from the Service that had the same
 	// name and namespace as this ServiceExport.
@@ -38,6 +41,25 @@ type ServiceExport struct {
 	Status ServiceExportStatus `json:"status,omitempty"`
 }
 
+// ServiceExportSpec defines the desired state of ServiceExport
+type ServiceExportSpec struct {
+	// exportedPorts defines which ports of the service should be exported and what route types they should be used with.
+	// If not specified, the controller will use the port from the annotation "application-networking.k8s.aws/port"
+	// and create HTTP target groups for backward compatibility.
+	// +optional
+	ExportedPorts []ExportedPort `json:"exportedPorts,omitempty"`
+}
+
+// ExportedPort defines a port to be exported and the route type it should be used with
+type ExportedPort struct {
+	// port is the port number to export
+	Port int32 `json:"port"`
+	// routeType is the type of route this port should be used with
+	// Valid values are "HTTP", "GRPC", "TLS"
+	// +kubebuilder:validation:Enum=HTTP;GRPC;TLS
+	RouteType string `json:"routeType"`
+}
+
 // ServiceExportStatus contains the current status of an export.
 type ServiceExportStatus struct {
 	// +optional
diff --git a/pkg/gateway/model_build_targetgroup.go b/pkg/gateway/model_build_targetgroup.go
@@ -98,10 +98,40 @@ func (b *SvcExportTargetGroupBuilder) BuildTargetGroup(ctx context.Context, svcE
 		tgp:           policy.NewTargetGroupPolicyHandler(b.log, b.client),
 	}
 
+	// If exportedPorts is defined, we need to handle it differently
+	// For now, we'll just return the first target group for backward compatibility
+	// This is used for reconciliation of existing target groups
+	if len(svcExport.Spec.ExportedPorts) > 0 {
+		return task.buildTargetGroupForExportedPort(ctx, svcExport.Spec.ExportedPorts[0])
+	}
+
 	return task.buildTargetGroup(ctx)
 }
 
 func (t *svcExportTargetGroupModelBuildTask) run(ctx context.Context) error {
+	// Check if we have exportedPorts defined in the spec
+	if len(t.serviceExport.Spec.ExportedPorts) > 0 {
+		// Create target groups for each exported port
+		for _, exportedPort := range t.serviceExport.Spec.ExportedPorts {
+			tg, err := t.buildTargetGroupForExportedPort(ctx, exportedPort)
+			if err != nil {
+				return fmt.Errorf("failed to build target group for service export %s-%s port %d due to %w",
+					t.serviceExport.Name, t.serviceExport.Namespace, exportedPort.Port, err)
+			}
+
+			if !tg.IsDeleted {
+				err = t.buildTargetsForPort(ctx, tg.ID(), exportedPort.Port)
+				if err != nil {
+					t.log.Debugf(ctx, "Failed to build targets for service export %s-%s port %d due to %s",
+						t.serviceExport.Name, t.serviceExport.Namespace, exportedPort.Port, err)
+					return err
+				}
+			}
+		}
+		return nil
+	}
+
+	// Fall back to legacy behavior if no exportedPorts are defined
 	tg, err := t.buildTargetGroup(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to build target group for service export %s-%s due to %w",
@@ -129,6 +159,106 @@ func (t *svcExportTargetGroupModelBuildTask) buildTargets(ctx context.Context, s
 	return nil
 }
 
+func (t *svcExportTargetGroupModelBuildTask) buildTargetGroupForExportedPort(ctx context.Context, exportedPort anv1alpha1.ExportedPort) (*model.TargetGroup, error) {
+	svc := &corev1.Service{}
+	noSvcFoundAndDeleting := false
+	if err := t.client.Get(ctx, k8s.NamespacedName(t.serviceExport), svc); err != nil {
+		if apierrors.IsNotFound(err) && !t.serviceExport.DeletionTimestamp.IsZero() {
+			// if we're deleting, it's OK if the service isn't there
+			noSvcFoundAndDeleting = true
+		} else { // either it's some other error or we aren't deleting
+			return nil, fmt.Errorf("failed to find corresponding k8sService %s, error :%w ",
+				k8s.NamespacedName(t.serviceExport), err)
+		}
+	}
+
+	var ipAddressType string
+	var err error
+	if noSvcFoundAndDeleting {
+		ipAddressType = "IPV4" // just pick a default
+	} else {
+		ipAddressType, err = buildTargetGroupIpAddressType(svc)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	tgp, err := t.tgp.ObjResolvedPolicy(ctx, t.serviceExport)
+	if err != nil {
+		return nil, err
+	}
+
+	// Get health check config from policy
+	_, _, healthCheckConfig, err := parseTargetGroupConfig(tgp)
+	if err != nil {
+		return nil, err
+	}
+
+	// Set protocol and protocolVersion based on routeType
+	var protocol, protocolVersion string
+	switch exportedPort.RouteType {
+	case "HTTP":
+		protocol = vpclattice.TargetGroupProtocolHttp
+		protocolVersion = vpclattice.TargetGroupProtocolVersionHttp1
+	case "GRPC":
+		protocol = vpclattice.TargetGroupProtocolHttp
+		protocolVersion = vpclattice.TargetGroupProtocolVersionGrpc
+	case "TLS":
+		protocol = vpclattice.TargetGroupProtocolTcp
+		protocolVersion = ""
+	default:
+		return nil, fmt.Errorf("unsupported route type: %s", exportedPort.RouteType)
+	}
+
+	spec := model.TargetGroupSpec{
+		Type:              model.TargetGroupTypeIP,
+		Port:              exportedPort.Port,
+		Protocol:          protocol,
+		ProtocolVersion:   protocolVersion,
+		IpAddressType:     ipAddressType,
+		HealthCheckConfig: healthCheckConfig,
+	}
+	spec.VpcId = config.VpcID
+	spec.K8SSourceType = model.SourceTypeSvcExport
+	spec.K8SClusterName = config.ClusterName
+	spec.K8SServiceName = t.serviceExport.Name
+	spec.K8SServiceNamespace = t.serviceExport.Namespace
+	spec.K8SProtocolVersion = protocolVersion
+
+	// Add a tag for the route type to help with identification
+	// This is not used by the controller but can be helpful for debugging
+	if exportedPort.RouteType != "" {
+		spec.K8SProtocolVersion = exportedPort.RouteType
+	}
+
+	stackTG, err := model.NewTargetGroup(t.stack, spec)
+	if err != nil {
+		return nil, err
+	}
+
+	stackTG.IsDeleted = !t.serviceExport.DeletionTimestamp.IsZero()
+	return stackTG, nil
+}
+
+func (t *svcExportTargetGroupModelBuildTask) buildTargetsForPort(ctx context.Context, stackTgId string, port int32) error {
+	// This is similar to buildTargets but filters endpoints by the specified port
+	targetsBuilder := NewTargetsBuilder(t.log, t.client, t.stack)
+
+	// We need to create a modified ServiceExport with the port annotation set to the specific port
+	// This is a bit of a hack, but it allows us to reuse the existing BuildForServiceExport method
+	modifiedServiceExport := t.serviceExport.DeepCopy()
+	if modifiedServiceExport.Annotations == nil {
+		modifiedServiceExport.Annotations = make(map[string]string)
+	}
+	modifiedServiceExport.Annotations[portAnnotationsKey] = fmt.Sprintf("%d", port)
+
+	_, err := targetsBuilder.BuildForServiceExport(ctx, modifiedServiceExport, stackTgId)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (t *svcExportTargetGroupModelBuildTask) buildTargetGroup(ctx context.Context) (*model.TargetGroup, error) {
 	svc := &corev1.Service{}
 	noSvcFoundAndDeleting := false
diff --git a/pkg/gateway/model_build_targetgroup_test.go b/pkg/gateway/model_build_targetgroup_test.go
