[release-1.27] Fix named port mapping with ServiceEntries in ambient (#57784)

* fix issue with named target ports + SE

* add release notes

* tweak language

* release note type

---------

Co-authored-by: Aaron Birkland <[email protected]>

Author: istio-testing

pilot/pkg/serviceregistry/kube/controller/ambient/workloads.go

@@ -1401,14 +1401,25 @@ func constructServices(p *v1.Pod, services []model.ServiceInfo) map[string]*work
 			targetPort := port.TargetPort
 			// The svc.Ports represents the workloadapi.Service, which drops the port name info and just has numeric target Port.
 			// TargetPort can be 0 which indicates its a named port. Check if its a named port and replace with the real targetPort if so.
-			if named, f := svc.PortNames[int32(port.ServicePort)]; f && named.TargetPortName != "" {
-				// Pods only match on TargetPort names
-				tp, ok := FindPortName(p, named.TargetPortName)
-				if !ok {
-					// Port not present for this workload. Exclude the port entirely
-					continue
+			if named, f := svc.PortNames[int32(port.ServicePort)]; f {
+				if named.TargetPortName != "" {
+					// Kubernetes Service semantics: explicit named targetPort on the Service
+					// Pods only match on TargetPort names
+					tp, ok := FindPortName(p, named.TargetPortName)
+					if !ok {
+						// Port not present for this workload. Exclude the port entirely
+						continue
+					}
+					targetPort = uint32(tp)
+				} else if svc.Source.Kind == kind.ServiceEntry && named.PortName != "" {
+					// ServiceEntry semantics: no explicit named targetPort field; match by ServiceEntry port name to Pod container port name
+					if tp, ok := FindPortName(p, named.PortName); ok {
+						targetPort = uint32(tp)
+					} else if targetPort == 0 {
+						// Fallback to service port if we couldn't resolve a name and targetPort wasn't set
+						targetPort = port.ServicePort
+					}
 				}
-				targetPort = uint32(tp)
 			}
 
 			pl.Ports = append(pl.Ports, &workloadapi.Port{

pilot/pkg/serviceregistry/kube/controller/ambient/workloads_test.go

@@ -311,6 +311,60 @@ func TestPodWorkloads(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "pod selected by ServiceEntry honors port name mapping",
+			inputs: []any{
+				model.ServiceInfo{
+					Service: &workloadapi.Service{
+						Name:      "httpbin",
+						Namespace: "httpbin2",
+						Hostname:  "httpbin.httpbin2.mesh.internal",
+						Ports: []*workloadapi.Port{{
+							ServicePort: 8002,
+							TargetPort:  0,
+						}},
+					},
+					PortNames: map[int32]model.ServicePortName{
+						8002: {PortName: "http"},
+					},
+					LabelSelector: model.NewSelector(map[string]string{"app": "httpbin"}),
+					Source:        model.TypedObject{Kind: kind.ServiceEntry},
+				},
+			},
+			pod: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "httpbin-123",
+					Namespace: "httpbin2",
+					Labels:    map[string]string{"app": "httpbin"},
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{{Ports: []v1.ContainerPort{{
+						Name:          "http",
+						ContainerPort: 8000,
+						Protocol:      v1.ProtocolTCP,
+					}}}},
+				},
+				Status: v1.PodStatus{Phase: v1.PodRunning, Conditions: podReady, PodIP: "10.1.1.1"},
+			},
+			result: &workloadapi.Workload{
+				Uid:               "cluster0//Pod/httpbin2/httpbin-123",
+				Name:              "httpbin-123",
+				Namespace:         "httpbin2",
+				Addresses:         [][]byte{netip.MustParseAddr("10.1.1.1").AsSlice()},
+				Network:           testNW,
+				CanonicalName:     "httpbin",
+				CanonicalRevision: "latest",
+				WorkloadType:      workloadapi.WorkloadType_POD,
+				WorkloadName:      "httpbin-123",
+				Status:            workloadapi.WorkloadStatus_HEALTHY,
+				ClusterId:         testC,
+				Services: map[string]*workloadapi.PortList{
+					"httpbin2/httpbin.httpbin2.mesh.internal": {
+						Ports: []*workloadapi.Port{{ServicePort: 8002, TargetPort: 8000}},
+					},
+				},
+			},
+		},
 		{
 			name: "simple pod with locality",
 			inputs: []any{

releasenotes/notes/57713.yaml

@@ -0,0 +1,10 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+
+issue:
+ - https://github.com/istio/istio/issues/57713
+
+releaseNotes:
+- |
+  **Fixed** ServiceEntry resolution in ztunnel now matches ServiceEntry port names to pod container ports, aligning behavior with sidecars where there isn't an explicit targetPort