The operator will currently add a port to a Service if there are certain health check load balancer annotations added to Gateway or GatewayConfig resources. This may be necessary for some cloud environments to create load balancers with working health checks, but in AWS the created network load balancers don't need an exposed TCP port for doing internal health checks against target groups. By adding the port on the Service, we end up with an NLB with an insecure HTTP endpoint exposed on our WebRTC ingestion point.
I would propose at least making the creation of the service port when health check annotations are found configurable.
The operator will currently add a port to a
Serviceif there are certain health check load balancer annotations added toGatewayorGatewayConfigresources. This may be necessary for some cloud environments to create load balancers with working health checks, but in AWS the created network load balancers don't need an exposed TCP port for doing internal health checks against target groups. By adding the port on theService, we end up with an NLB with an insecure HTTP endpoint exposed on our WebRTC ingestion point.I would propose at least making the creation of the service port when health check annotations are found configurable.