Add Kubernetes Service support

[wjhoward]

Ticket: HACK-4795

Add minimal Kubernetes Service creation support to PaaSTA.

This adds opt in Service creation via a new k8s_service config block, primarily for headless Services.

Changes:

• SOA Service config schema
• Service CRUD functions
• Service sync orchestration logic
• Unit tests

Current design decisions

• Minimal config approach, k8s_service: {} is valid and would create a headless Service with default port 8888
• Protocol is currently hardcoded to TCP, but can be extended
• Service name set to the deployment name
• Single port per service

Example config:

# Full config with all options
k8s_service:
  headless: true              # Optional, default: true
  port: 9000                  # Optional, default: 8888
  annotations:                # Optional, default: {}
    external-dns.alpha.kubernetes.io/hostname: my-app.example.com

# Minimal config (uses all defaults):
k8s_service: {}

[itsgc]

super premature but this coudl be a great stepping stone to support service NLBs in paasta. According to https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/nlb/ the only additions we would need are:

• in the spec:
  • type should be settable to LoadBalancer
  • a new directive LoadBalancerClass would need to be set to service.k8s.aws/nlb

there is a third requirement which is to set an annotation of service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip but the current annotation support added in this PR would be enough

an alternative would otherwise to have a top level yelpsoa-config directive enable_nlb: True taht would set all of this in one go

[wjhoward]

I really like this idea, and it sounds like a small change to support it. I will wait to see what other reviewers think before making any changes.

[diwakar-dubey]

yes, this is really great idea!

[Rob-Johnson]

this is really nice, thanks @wjhoward!

I think in the long term we might want both, but remember that right now, 99% of clients don't connect directly to a service/instance, but a smartstack namespace. there are cases where a user might want to talk to a specific service/instance, but we'll need to add support for creating services per namespace to serve most interactions.

I've written a few notes about that in the internal design doc I wrote. But this is a great start, thanks!

[Rob-Johnson]

is there ever a situation where we wouldn't want this to be true? I don't think we'd ever want a client to be connecting to a paasta service/instance using a k8s cluster ip - we'd only ever want to be using a loadbalancer/cloudmap/something else. I'd probably just remove this config option

[wjhoward]

Good point, I agree, I think we can remove this option for now. Thanks!

[wjhoward]

Thanks @Rob-Johnson , agreed - this is catering to a niche use case, specifically external DNS integration:

External Client → myapp.example.com → DNS provider (CloudMap/Route53) → Pod IPs

Where the external-dns controller reads the annotated headless Service to get Pod IPs and creates/updates DNS records. This bypasses Smartstack/mesh entirely for external access. Tagging @diwakar-dubey as they discovered the use case / requirement. To clarify a couple of points:

I think in the long term we might want both

Do you mean external DNS support and the NLB use case @itsgc mentioned, or namespace services?

but we'll need to add support for creating services per namespace to serve most interactions.

Yeah the intention here is specific to the external DNS use case, hence why I marked service config as opt in, are you thinking about expanding k8s Services to support namespace ingress also?

[Rob-Johnson]

Thanks @Rob-Johnson , agreed - this is catering to a niche use case, specifically external DNS integration:

External Client → myapp.example.com → DNS provider (CloudMap/Route53) → Pod IPs

Where the external-dns controller reads the annotated headless Service to get Pod IPs and creates/updates DNS records. This bypasses Smartstack/mesh entirely for external access. Tagging @diwakar-dubey as they discovered the use case / requirement. To clarify a couple of points:

even for external DNS, It'd be better if the DNS address was for a smartstack namespace than a specific paasta service/instance. given we're only using this for trivial redirects atm, we can get away with it because there is a 1:1 mapping from service/instance to namespace. but we can't guarantee that'll always be true.

I think in the long term we might want both

Do you mean external DNS support and the NLB use case @itsgc mentioned, or namespace services?

No, I mean having both a service that uses 'paasta_service' and 'paasta_instance' as a label selector (so goes to a specific instance), and one that uses a selector for registrations.

but we'll need to add support for creating services per namespace to serve most interactions.

Yeah the intention here is specific to the external DNS use case, hence why I marked service config as opt in, are you thinking about expanding k8s Services to support namespace ingress also?

[nemacysts]

nit: could probably default to self.get_container_port() to handle the couple of services that don't set this to DEFAULT_CONTAINER_PORT (otherwise, probably worth replacing the hardcoded 8888 here with

paasta/paasta_tools/long_running_service_tools.py

Line 36 in cb5eca3

DEFAULT_CONTAINER_PORT = 8888

[nemacysts]

note: we'll also need to add k8s_service to https://github.com/Yelp/paasta/blob/cb5eca340f12e3d63807f4ce35bcccad0711abe2/paasta_tools/cli/schemas/eks_schema.json

[nemacysts]

i was gonna say that we should be using a mock that's autospec'd on the kube client...but it seems like this is a pre-existing pattern already in this file so nevermind :p

[nemacysts]

nit: mypy should already validate this - so we can probably drop the isinstance asserts from these tests

[nemacysts]

should we construct an expected_service and compare to that rather than comparing attribute-by-attribute manually?