Support Standalone Service Creation & Surface Service ARN

[rlymbur]

What type of PR is this?
Feature

Which issue does this PR fix:
#691

What does this PR do / Why do we need it:
This PR implements standalone VPC Lattice services that are not automatically associated with service networks. Currently, the AWS Application Networking Controller only processes routes that are always associated with a service network. This enhancement allows for decoupling of service creation and ownership from service network membership, providing more flexibility in service management scenarios.

Key changes:

• Adds annotation-based configuration (application-networking.k8s.aws/standalone: "true") to control service network association behavior
• Supports both Gateway-level and Route-level annotations with Route-level taking precedence
• Maintains full backward compatibility - existing deployments continue to work unchanged
• Surfaces VPC Lattice service ARN in route annotations for external integrations (e.g., AWS RAM sharing)

If an issue # is not available please add repro steps and logs from aws-gateway-controller showing the issue:
See issue #691 for detailed requirements and use case description. The issue requests the ability to create VPC Lattice services without automatic service network association to support scenarios where service creation and service network membership need to be managed independently.

Testing done on this change:

• Unit tests added for annotation processing and validation logic
• Unit tests for service model building with standalone mode detection
• Unit tests for service manager handling of standalone services
• Integration tests for end-to-end standalone service creation
• Integration tests for annotation precedence and inheritance behavior
• Integration tests for transition scenarios (standalone ↔ service network modes)

Automation added to e2e:
Yes - Integration tests have been added covering:

• Standalone service creation and verification
• Annotation precedence testing (Gateway vs Route level)
• Service transition scenarios
• Service ARN surfacing in route status

Will this PR introduce any new dependencies?:
No new dependencies. The feature uses existing Kubernetes annotations and AWS VPC Lattice APIs that are already in use by the controller.

Will this break upgrades or downgrades. Has updating a running cluster been tested?:
No breaking changes. The feature is fully backward compatible:

• Existing routes without annotations continue to work exactly as before
• New annotation support is additive and optional
• Graceful handling of annotation transitions ensures no service disruption
• Controller upgrade/downgrade scenarios have been tested

Does this PR introduce any user-facing change?:
Yes - This introduces new annotation-based configuration options for users.

Add support for standalone VPC Lattice services via annotations. Users can now create VPC Lattice services without automatic service network association by adding `application-networking.k8s.aws/standalone: "true"` annotation to Gateway or Route resources. Route-level annotations take precedence over Gateway-level annotations. VPC Lattice service ARNs are now surfaced in route annotations for external integrations. This feature is fully backward compatible and existing deployments continue to work unchanged. 

Do all end-to-end tests successfully pass when running make e2e-test?:
Yes - All existing e2e tests pass, and new integration tests for standalone functionality have been added and are passing.

Ran 110 of 110 Specs in 5485.152 seconds SUCCESS! -- 110 Passed | 0 Failed | 0 Pending | 0 Skipped --- PASS: TestIntegration (5485.16s) PASS ok github.com/aws/aws-application-networking-k8s/test/suites/integration 5486.311s 

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[mikestvz]

Minor comments

[mikestvz]

Let's combine this with previous if?

[rlymbur]

Good point, I will address this in the next revision.

[mikestvz]

are we thinking for a different set of values in the future? If not why do we need a switch?

[rlymbur]

You're right, this is overkill now. I'll simplify it.

[satishckAWS]

1. AWS RAM sharing to share the service with other accounts to associate with service networks
   2.remove VPC peering or Transit Gateway for networking connectivity. Standalone Lattice services resolve to 169.254.171.0/24, which are not routable.

[rlymbur]

I have removed this wording in the latest revision.

[satishckAWS]

will have to make sure that the service is removed only from the Gateway that is set to stand-alone, as the same service could belong to other Gateways that are not standlone.

[rlymbur]

I've added detailed steps on how to mitigate this and correctly share with RAM manually.

[satishckAWS]

qualify that service network policies do not apply to standalone services only in the Gateways/service networks they are disconnected from. If the same service is also in a different Gateway/service network, the policies on those Gateways/service networks apply.

[rlymbur]

I clarified this in the latest revision.

[satishckAWS]

requires explicit service sharing and/or association with service networks.
Remove "alternate connectivity" as there is no other way to connect than through a service network

[rlymbur]

I have updated this wording.

[satishckAWS]

an example of httpsroute and TLSroute would be helpful with the TLS certs and how they can be added as well the same way as a connected service.

[rlymbur]

I have added additional examples now.

[mikestvz]

LGTM