Bug Description
LBC is trying to re-create target groups when TargetGroupConfiguration defaultConfiguration is updated when using Gateway API (L7, multiple HTTP and GRPC routes)
Steps to Reproduce
- Provision GTW with multiple HTTP and GRPC routes and use
TargetGroupConfiguration
apiVersion: gateway.k8s.aws/v1beta1
kind: TargetGroupConfiguration
metadata:
annotations:
argocd.argoproj.io/tracking-id: bar-foo-app-ingest:gateway.k8s.aws/TargetGroupConfiguration:foo-app/foo-app-ingest
labels:
app: foo-app-ingest
app.kubernetes.io/instance: foo-app-ingest
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: foo-app
app.kubernetes.io/version: 0.1.0
cloud: aws
env: stage
helm.sh/chart: foo-app-0.1.0
region: us-east-2
name: foo-app-ingest
namespace: foo-app
spec:
defaultConfiguration:
healthCheckConfig:
healthCheckPath: /readyz
healthCheckPort: "8080"
healthCheckProtocol: HTTP
protocol: HTTPS
targetGroupAttributes:
- key: deregistration_delay.timeout_seconds
value: "30"
targetType: ip
targetReference:
group: ""
kind: Service
name: foo-app-ingest
- Change
spec.defaultConfiguration.healthCheckConfig.healthCheckProtocol
- Observe the LBC logs or GTW events.
Expected Behavior
Target Group params are updated
Actual Behavior
The error is thrown, apparently, LBC is trying to re-create the target group
Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: 09b8a56d-e39f-4a86-888f-fbd55929e8cd, DuplicateTargetGroupName: A target group with the same name 'k8s-foo-fooin-19ad0c01af' exists, but with different settings
Environment
-
AWS Load Balancer controller version: v3.3.0
-
Kubernetes version: 1.35
-
Using EKS (yes/no), if so version?: 1.35
-
Using Service or Ingress: Gateway API
-
AWS region: us-east-2
-
How was the aws-load-balancer-controller installed:
- If helm was used then please show output of
helm ls -A | grep -i aws-load-balancer-controller
aws-lb-controller aws-lb-controller 2 2026-05-13 16:54:28.778804 +0300 EEST deployed aws-load-balancer-controller-3.3.0 v3.3.0
- If helm was used then please show output of
helm -n <controllernamespace> get values <helmreleasename>
USER-SUPPLIED VALUES:
additionalLabels:
foo: bar
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
- auto
- hybrid
weight: 1
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: k8s.companyname.io/role
operator: In
values:
- sys
- key: kubernetes.io/arch
operator: In
values:
- arm64
- key: karpenter.k8s.aws/instance-family
operator: In
values:
- t4g
- key: karpenter.k8s.aws/instance-cpu
operator: In
values:
- "2"
- "4"
autoscaling:
enabled: true
maxReplicas: 2
minReplicas: 1
certManager:
duration: 8760h0m0s
issuerRef:
kind: ClusterIssuer
name: foo-incluster
renewBefore: 720h0m0s
clusterName: main-a
defaultLoadBalancerScheme: internal
defaultSSLPolicy: ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09
defaultTags:
foo: bar
defaultTargetType: ip
deploymentAnnotations:
resource.opentelemetry.io/cloud.platform: aws_eks
resource.opentelemetry.io/cloud.provider: aws
resource.opentelemetry.io/cloud.region: us-east-2
resource.opentelemetry.io/deployment.environment.name: stage
resource.opentelemetry.io/service.namespace: aws-lb-controller
resource.opentelemetry.io/service.version: 3.2.1
disableIngressClassAnnotation: true
enableCertManager: true
enableEndpointSlices: true
enableServiceMutatorWebhook: false
externalManagedTags:
- app
fullnameOverride: aws-lb-controller
ingressClassParams:
create: false
podAnnotations:
resource.opentelemetry.io/cloud.platform: aws_eks
resource.opentelemetry.io/cloud.provider: aws
resource.opentelemetry.io/cloud.region: us-east-2
resource.opentelemetry.io/deployment.environment.name: stage
resource.opentelemetry.io/service.namespace: aws-lb-controller
resource.opentelemetry.io/service.version: 3.2.1
podDisruptionBudget:
maxUnavailable: 1
podLabels:
foo: bar
podSecurityContext:
fsGroup: 65534
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
region: us-east-2
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
serviceMonitor:
enabled: true
tolerations:
- key: CriticalAddonsOnly
operator: Exists
topologySpreadConstraints:
- labelSelector:
matchLabels:
app: aws-lb-controller
matchLabelKeys:
- pod-template-hash
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
- labelSelector:
matchLabels:
app: aws-lb-controller
matchLabelKeys:
- pod-template-hash
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
vpcId: vpc-e5c62fcc9cdd8227d
-
Current state of the Controller configuration:
aws-lb-controller 1/1 1 1 10d
-
Current state of the Ingress/Service configuration:
Bug Description
LBC is trying to re-create target groups when
TargetGroupConfigurationdefaultConfigurationis updated when using Gateway API (L7, multiple HTTP and GRPC routes)Steps to Reproduce
TargetGroupConfigurationspec.defaultConfiguration.healthCheckConfig.healthCheckProtocolExpected Behavior
Target Group params are updated
Actual Behavior
The error is thrown, apparently, LBC is trying to re-create the target group
Environment
AWS Load Balancer controller version: v3.3.0
Kubernetes version: 1.35
Using EKS (yes/no), if so version?: 1.35
Using Service or Ingress: Gateway API
AWS region: us-east-2
How was the aws-load-balancer-controller installed:
helm ls -A | grep -i aws-load-balancer-controllerhelm -n <controllernamespace> get values <helmreleasename>Current state of the Controller configuration:
Current state of the Ingress/Service configuration: