Is your feature request related to a problem?
The ACK ELBv2 TargetGroup CRD does not expose the proxy_protocol_v2.enabled Target Group Attribute. This attribute is available in the AWS API via ModifyTargetGroupAttributes but has no corresponding field in the TargetGroup CRD spec.
This impacts mesh gateways (e.g., Istio, Envoy, AWS App Mesh) that rely on Proxy Protocol v2 to pass client IP information through NLBs to backend mesh gateway pods. Without this field, the mesh gateway sees the NLB's IP instead of the original client IP, breaking:
- IP-based access controls
- Rate limiting per client
- TLS certificate validation (SNI)
- Security policies
Describe the solution you'd like
Add support for target group attributes (specifically proxy_protocol_v2.enabled) in the TargetGroup CRD spec. This could be implemented as either a generic attributes field or a dedicated spec field:
Option A — Generic attributes field:
apiVersion: elbv2.services.k8s.aws/v1alpha1
kind: TargetGroup
metadata:
name: mesh-gateway-tg
spec:
name: mesh-gateway-tg
protocol: TCP
port: 15001
vpcID: vpc-0123456789abcdef
targetType: ip
attributes:
- key: proxy_protocol_v2.enabled
value: "true"Option B — Dedicated field:
spec:
proxyProtocolV2Enabled: true
Describe alternatives you've considered
Currently we have to manually call ModifyTargetGroupAttributes outside of ACK after resource creation. This breaks the declarative management model and may be reverted by ACK reconciliation on the next sync cycle.
AWS API Reference:
Is your feature request related to a problem?
The ACK ELBv2 TargetGroup CRD does not expose the
proxy_protocol_v2.enabledTarget Group Attribute. This attribute is available in the AWS API viaModifyTargetGroupAttributesbut has no corresponding field in the TargetGroup CRD spec.This impacts mesh gateways (e.g., Istio, Envoy, AWS App Mesh) that rely on Proxy Protocol v2 to pass client IP information through NLBs to backend mesh gateway pods. Without this field, the mesh gateway sees the NLB's IP instead of the original client IP, breaking:
Describe the solution you'd like
Add support for target group attributes (specifically
proxy_protocol_v2.enabled) in the TargetGroup CRD spec. This could be implemented as either a genericattributesfield or a dedicated spec field:Option A — Generic attributes field:
Option B — Dedicated field:
Describe alternatives you've considered
Currently we have to manually call
ModifyTargetGroupAttributesoutside of ACK after resource creation. This breaks the declarative management model and may be reverted by ACK reconciliation on the next sync cycle.AWS API Reference:
ModifyTargetGroupAttributesproxy_protocol_v2.enabled(Boolean)