Add xDS Kubernetes service

[minwoox]

Add xDS Kubernetes Service

Motivation:
To support integration with Kubernetes, we need APIs for creating, updating, and deleting Kubernetes watchers that retrieve pod endpoint information from the Kubernetes control plane.

Modifications:

• Added xds_kubernetes.proto files that define gRPC and HTTP APIs for xDS resources.
• Introduced XdsKubernetesService:
  • The createWatcherRequest stores watcher information at /k8s/watchers/{watcher_id}.json.
  • To validate the correctness of the watcher information, a KubernetesEndpointGroup is created and used.
    • The current implementation uses KubernetesEndpointGroup for simplicity, with plans to develop a custom implementation for improved error handling.
• Added XdsKubernetesEndpointFetchingPlugin and XdsKubernetesEndpointFetchingService:
  • The XdsKubernetesEndpointFetchingService, run by the ZooKeeper leader, creates ClusterLoadAssignment based on watcher information.
  • The resulting ClusterLoadAssignment is stored at /k8s/endpoints/{watcher_id}.json and replicated via ZooKeeper log replay.
  • The cluster name of the ClusterLoadAssignment is groups/{group}/k8s/clusters/{watcher_id}.json, and it is served as an xDS endpoint resource by the ControlPlaneService.

Result:

• You can now add a watcher information that retrieves the pod's endpoint information from the Kubernetes control plane.

[minwoox]

This is ready. PTAL. 🙇

[jrhee17]

Left some questions but looks good to me 👍 👍 👍

[jrhee17]

Question) Would this be called from plugins-for-* threads here, whereas map updates will be called from k8s-plugin-executor? i.e. the map doesn't seem to be thread-safe

I believe the stop should also be done cleanly since it is not uncommon for a node to lose leadership

[minwoox]

Oops, let me fix that. 😓

[jrhee17]

Suggested change

	() -> pushK8sEndpoints(kubernetesEndpointGroup, groupName, endpoints, watcherName));
	() -> pushK8sEndpoints(kubernetesEndpointGroup, groupName, endpoints, watcherName));

[jrhee17]

Note) I understood that Locality is not set for this iteration.

[minwoox]

That is correct. 👍

[jrhee17]

nit; there is probably a low chance this happens, but I understood that if listener invocation and delete occurs in quick succession, then it is possible that the endpoints remain even though it should be deleted.

I think it's fine to leave this as a known issue, but just want to check if this scenario is possible.

e.g.

1. handleXdsResource is called
2. onFileRemoved is called immediately
3. the pushK8sEndpoints invoked by step 1 is called

[minwoox]

I don't think so because they are all executed by the executor().
1 handleXdsResource is called by the executor
2 onFileRemoved is called immediately
3 Thus, the created KubernetesEndpointGroup is closing
4 the pushK8sEndpoints invoked by step 1 is called by the executor but it doesn't push a commit because this condition:

centraldogma/xds/src/main/java/com/linecorp/centraldogma/xds/k8s/v1/XdsKubernetesEndpointFetchingService.java

Line 163 in 37e4002

if (kubernetesEndpointGroup.isClosing()) {

[jrhee17]

I missed that line 😅 Thanks for the pointer 👍

[jrhee17]

Question) Am I understanding correctly that as of now users can access this value via APIs? I'm wondering if we're going need to prioritize access control for xDS related APIs.

[minwoox]

Users cannot see this value. Only creating, updating and deleting (without seeing the value) is possible at the moment.

[ikhoon]

nit: Could be removed?

[ikhoon]

It seems unsed.

[ikhoon]

I guess controlPlaneService could be null if projectInitializer.initialize(...) fails.

[ikhoon]

Should we wait for the result of this::start? Otherwise, the exception raised in start won't be propagated to somewhere or logged.

[minwoox]

Oops, yeah. We need to wait for that. 😉

[ikhoon]

nit: dead code?

[ikhoon]

Optional) How about using service, which seems a simpler expression than watcher which is more abstract so we may need to explain what it means.

Meanwhile, we can simply say that service indicates Kubenetes Service, and this method can be used to create xDS resource for Kubenetes Service.
https://kubernetes.io/docs/concepts/services-networking/service/

[minwoox]

Had a discussion and will use CreateServiceEndpointWatcher instead. 😉

[ikhoon]

Thanks, @minwoox! 🚀🚀

[codecov]

Codecov Report

Attention: Patch coverage is 77.87611% with 100 lines in your changes missing coverage. Please review.

Project coverage is 71.54%. Comparing base (c960313) to head (e9db3c6).
Report is 144 commits behind head on main.

Files	Patch %	Lines
...s/k8s/v1/XdsKubernetesEndpointFetchingService.java	68.86%	24 Missing and 9 partials ⚠️
...dogma/xds/internal/XdsResourceWatchingService.java	66.66%	25 Missing and 5 partials ⚠️
.../centraldogma/xds/k8s/v1/XdsKubernetesService.java	82.71%	8 Missing and 6 partials ⚠️
...ds/k8s/v1/XdsKubernetesEndpointFetchingPlugin.java	59.09%	8 Missing and 1 partial ⚠️
...traldogma/server/internal/ExecutorServiceUtil.java	40.00%	4 Missing and 2 partials ⚠️
...centraldogma/xds/internal/ControlPlaneService.java	94.04%	2 Missing and 3 partials ⚠️
.../centraldogma/xds/internal/ControlPlanePlugin.java	77.77%	1 Missing and 1 partial ⚠️
...orp/centraldogma/xds/group/v1/XdsGroupService.java	85.71%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main     #980      +/-   ##
============================================
+ Coverage     65.61%   71.54%   +5.92%     
- Complexity     3319     4113     +794     
============================================
  Files           355      402      +47     
  Lines         13865    16431    +2566     
  Branches       1498     1756     +258     
============================================
+ Hits           9098    11756    +2658     
+ Misses         3916     3642     -274     
- Partials        851     1033     +182     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.