inferencepool controller: use SSA for shadow svc updates (#57091)

dgn · aslakknutsen · commit 2345dc20ba47 · 2025-12-04T12:06:17.000+01:00
Fixes #56667
diff --git a/pilot/pkg/config/kube/gateway/controller.go b/pilot/pkg/config/kube/gateway/controller.go
@@ -293,7 +293,7 @@ func NewController(
 	// Create a queue for handling service updates.
 	// We create the queue even if the env var is off just to prevent nil pointer issues.
 	c.shadowServiceReconciler = controllers.NewQueue("inference pool shadow service reconciler",
-		controllers.WithReconciler(c.reconcileShadowService(svcClient, InferencePools, inputs.Services)),
+		controllers.WithReconciler(c.reconcileShadowService(kc, InferencePools, inputs.Services)),
 		controllers.WithMaxAttempts(5))
 
 	if features.EnableGatewayAPIInferenceExtension {
diff --git a/pilot/pkg/config/kube/gateway/inferencepool_collection.go b/pilot/pkg/config/kube/gateway/inferencepool_collection.go
@@ -15,6 +15,7 @@
 package gateway
 
 import (
+	"context"
 	"crypto/sha256"
 	"fmt"
 	"strconv"
@@ -23,15 +24,15 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/json"
 	inferencev1 "sigs.k8s.io/gateway-api-inference-extension/api/v1"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 	gateway "sigs.k8s.io/gateway-api/apis/v1beta1"
 
 	"istio.io/istio/pkg/config/constants"
 	"istio.io/istio/pkg/config/schema/gvk"
-	"istio.io/istio/pkg/kube/kclient"
+	"istio.io/istio/pkg/kube"
 	"istio.io/istio/pkg/kube/krt"
-	"istio.io/istio/pkg/maps"
 	"istio.io/istio/pkg/ptr"
 	"istio.io/istio/pkg/slices"
 	"istio.io/istio/pkg/util/sets"
@@ -44,6 +45,7 @@ const (
 	InferencePoolExtensionRefSvc         = "istio.io/inferencepool-extension-service"
 	InferencePoolExtensionRefPort        = "istio.io/inferencepool-extension-port"
 	InferencePoolExtensionRefFailureMode = "istio.io/inferencepool-extension-failure-mode"
+	InferencePoolFieldManager            = "istio.io/inference-pool-controller"
 )
 
 // // ManagedLabel is the label used to identify resources managed by this controller
@@ -503,7 +505,7 @@ func InferencePoolServiceName(poolName string) (string, error) {
 	return svcName, nil
 }
 
-func translateShadowServiceToService(existingLabels map[string]string, shadow shadowServiceInfo, extRef extRefInfo) *corev1.Service {
+func translateShadowServiceToService(shadow shadowServiceInfo, extRef extRefInfo) *corev1.Service {
 	// Create the ports used by the shadow service
 	ports := make([]corev1.ServicePort, 0, len(shadow.targetPorts))
 	dummyPort := int32(54321) // Dummy port, not used for anything
@@ -518,16 +520,20 @@ func translateShadowServiceToService(existingLabels map[string]string, shadow sh
 
 	// Create a new service object based on the shadow service info
 	svc := &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "Service",
+		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      shadow.key.Name,
 			Namespace: shadow.key.Namespace,
-			Labels: maps.MergeCopy(map[string]string{
+			Labels: map[string]string{
 				InferencePoolRefLabel:                shadow.poolName,
 				InferencePoolExtensionRefSvc:         extRef.name,
 				InferencePoolExtensionRefPort:        strconv.Itoa(int(extRef.port)),
 				InferencePoolExtensionRefFailureMode: extRef.failureMode,
 				constants.InternalServiceSemantics:   constants.ServiceSemanticsInferencePool,
-			}, existingLabels),
+			},
 		},
 		Spec: corev1.ServiceSpec{
 			Selector:  shadow.selector,
@@ -550,7 +556,7 @@ func translateShadowServiceToService(existingLabels map[string]string, shadow sh
 }
 
 func (c *Controller) reconcileShadowService(
-	svcClient kclient.Client[*corev1.Service],
+	kubeClient kube.Client,
 	inferencePools krt.Collection[InferencePool],
 	servicesCollection krt.Collection[*corev1.Service],
 ) func(key types.NamespacedName) error {
@@ -568,33 +574,35 @@ func (c *Controller) reconcileShadowService(
 		existingService := ptr.Flatten(servicesCollection.GetKey(pool.shadowService.key.String()))
 
 		// Check if we can manage this service
-		var existingLabels map[string]string
 		if existingService != nil {
-			existingLabels = existingService.GetLabels()
-			canManage, _ := c.canManageShadowServiceForInference(existingService)
+			canManage, reason := c.canManageShadowServiceForInference(existingService)
 			if !canManage {
-				log.Debugf("skipping service %s/%s, already managed by another controller", key.Namespace, key.Name)
+				log.Debugf("skipping service %s/%s, already managed by another controller: %s", key.Namespace, key.Name, reason)
 				return nil
 			}
 		}
 
-		service := translateShadowServiceToService(existingLabels, pool.shadowService, pool.extRef)
-
-		var err error
-		if existingService == nil {
-			// Create the service if it doesn't exist
-			_, err = svcClient.Create(service)
-		} else {
-			// TODO: Don't overwrite resources: https://github.com/istio/istio/issues/56667
-			service.ResourceVersion = existingService.ResourceVersion
-			_, err = svcClient.Update(service)
-		}
+		service := translateShadowServiceToService(pool.shadowService, pool.extRef)
+		return c.applyShadowService(kubeClient, service)
+	}
+}
 
-		return err
+// applyShadowService uses Server-Side Apply to create or update shadow services
+func (c *Controller) applyShadowService(kubeClient kube.Client, service *corev1.Service) error {
+	data, err := json.Marshal(service)
+	if err != nil {
+		return fmt.Errorf("failed to marshal service for SSA: %v", err)
 	}
+
+	ctx := context.Background()
+	_, err = kubeClient.Kube().CoreV1().Services(service.Namespace).Patch(
+		ctx, service.Name, types.ApplyPatchType, data, metav1.PatchOptions{
+			FieldManager: InferencePoolFieldManager,
+			Force:        ptr.Of(true),
+		})
+	return err
 }
 
-// canManage checks if a service should be managed by this controller
 func (c *Controller) canManageShadowServiceForInference(obj *corev1.Service) (bool, string) {
 	if obj == nil {
 		// No object exists, we can manage it
diff --git a/pilot/pkg/config/kube/gateway/inferencepool_test.go b/pilot/pkg/config/kube/gateway/inferencepool_test.go
@@ -15,73 +15,211 @@
 package gateway
 
 import (
+	"fmt"
 	"testing"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	inferencev1 "sigs.k8s.io/gateway-api-inference-extension/api/v1"
 
 	"istio.io/istio/pilot/pkg/features"
 	"istio.io/istio/pkg/config/constants"
-	"istio.io/istio/pkg/kube/krt"
 	"istio.io/istio/pkg/test"
 	"istio.io/istio/pkg/test/util/assert"
 )
 
 func TestReconcileInferencePool(t *testing.T) {
 	test.SetForTest(t, &features.EnableGatewayAPIInferenceExtension, true)
-	pool := &inferencev1.InferencePool{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-pool",
-			Namespace: "default",
+
+	testCases := []struct {
+		name                string
+		inferencePool       *inferencev1.InferencePool
+		shadowService       *corev1.Service // name is optional, if not provided, it will be generated
+		expectedAnnotations map[string]string
+		expectedLabels      map[string]string
+		expectedServiceName string
+		expectedTargetPort  int32
+	}{
+		{
+			name: "basic shadow service creation",
+			inferencePool: &inferencev1.InferencePool{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-pool",
+					Namespace: "default",
+				},
+				Spec: inferencev1.InferencePoolSpec{
+					TargetPorts: []inferencev1.Port{
+						{
+							Number: inferencev1.PortNumber(8080),
+						},
+					},
+					Selector: inferencev1.LabelSelector{
+						MatchLabels: map[inferencev1.LabelKey]inferencev1.LabelValue{
+							"app": "test",
+						},
+					},
+					EndpointPickerRef: inferencev1.EndpointPickerRef{
+						Name: "dummy",
+						Port: &inferencev1.Port{
+							Number: inferencev1.PortNumber(5421),
+						},
+					},
+				},
+			},
+			expectedLabels: map[string]string{
+				constants.InternalServiceSemantics: constants.ServiceSemanticsInferencePool,
+				InferencePoolRefLabel:              "test-pool",
+			},
+			expectedTargetPort: 8080,
 		},
-		Spec: inferencev1.InferencePoolSpec{
-			TargetPorts: []inferencev1.Port{
-				{
-					Number: inferencev1.PortNumber(8080),
+		{
+			name: "user label and annotation preservation",
+			inferencePool: &inferencev1.InferencePool{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "preserve-pool",
+					Namespace: "default",
+				},
+				Spec: inferencev1.InferencePoolSpec{
+					TargetPorts: []inferencev1.Port{
+						{
+							Number: inferencev1.PortNumber(8080),
+						},
+					},
+					Selector: inferencev1.LabelSelector{
+						MatchLabels: map[inferencev1.LabelKey]inferencev1.LabelValue{
+							"app": "test",
+						},
+					},
+					EndpointPickerRef: inferencev1.EndpointPickerRef{
+						Name: "dummy",
+						Port: &inferencev1.Port{
+							Number: inferencev1.PortNumber(5421),
+						},
+					},
 				},
 			},
-			Selector: inferencev1.LabelSelector{
-				MatchLabels: map[inferencev1.LabelKey]inferencev1.LabelValue{
-					"app": "test",
+			shadowService: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "default",
+					Labels: map[string]string{
+						InferencePoolRefLabel:       "preserve-pool",
+						"user.example.com/my-label": "user-value",
+						"another.domain.com/label":  "another-value",
+					},
+					Annotations: map[string]string{
+						"user.example.com/my-annotation": "user-annotation-value",
+						"monitoring.example.com/scrape":  "true",
+					},
+				},
+				Spec: corev1.ServiceSpec{
+					Selector:  map[string]string{"app": "test"},
+					Type:      corev1.ServiceTypeClusterIP,
+					ClusterIP: corev1.ClusterIPNone,
+					Ports: []corev1.ServicePort{
+						{
+							Protocol:   "TCP",
+							Port:       54321,
+							TargetPort: intstr.FromInt(8080),
+						},
+					},
 				},
 			},
-			EndpointPickerRef: inferencev1.EndpointPickerRef{
-				Name: "dummy",
-				Port: &inferencev1.Port{
-					Number: inferencev1.PortNumber(5421),
+			expectedAnnotations: map[string]string{
+				"user.example.com/my-annotation": "user-annotation-value",
+				"monitoring.example.com/scrape":  "true",
+			},
+			expectedLabels: map[string]string{
+				constants.InternalServiceSemantics: constants.ServiceSemanticsInferencePool,
+				InferencePoolRefLabel:              "preserve-pool",
+				"user.example.com/my-label":        "user-value",
+				"another.domain.com/label":         "another-value",
+			},
+			expectedTargetPort: 8080,
+		},
+		{
+			name: "very long inferencepool name",
+			inferencePool: &inferencev1.InferencePool{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "very-long-inference-pool-name-that-should-be-truncated-properly",
+					Namespace: "default",
 				},
+				Spec: inferencev1.InferencePoolSpec{
+					TargetPorts: []inferencev1.Port{
+						{
+							Number: inferencev1.PortNumber(9090),
+						},
+					},
+					Selector: inferencev1.LabelSelector{
+						MatchLabels: map[inferencev1.LabelKey]inferencev1.LabelValue{
+							"app": "longname",
+						},
+					},
+					EndpointPickerRef: inferencev1.EndpointPickerRef{
+						Name: "dummy",
+						Port: &inferencev1.Port{
+							Number: inferencev1.PortNumber(5421),
+						},
+					},
+				},
+			},
+			expectedLabels: map[string]string{
+				constants.InternalServiceSemantics: constants.ServiceSemanticsInferencePool,
+				InferencePoolRefLabel:              "very-long-inference-pool-name-that-should-be-truncated-properly",
 			},
+			expectedServiceName: "very-long-inference-pool-name-that-should-be-trunca-ip-6d24df6a",
+			expectedTargetPort:  9090,
 		},
 	}
-	controller := setupController(t,
-		&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "default"}},
-		NewGateway("test-gw", InNamespace(DefaultTestNS), WithGatewayClass("istio")),
-		NewHTTPRoute("test-route", InNamespace(DefaultTestNS),
-			WithParentRefAndStatus("test-gw", DefaultTestNS, IstioController),
-			WithBackendRef("test-pool", DefaultTestNS),
-		),
-		pool,
-	)
 
-	dumpOnFailure(t, krt.GlobalDebugHandler)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			objects := []runtime.Object{
+				&corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "default"}},
+				NewGateway(tc.name+"-gw", InNamespace("default"), WithGatewayClass("istio")),
+				NewHTTPRoute(tc.name+"-route", InNamespace("default"),
+					WithParentRefAndStatus(tc.name+"-gw", "default", "istio.io/gateway-controller"),
+					WithBackendRef(tc.inferencePool.Name, "default"),
+				),
+				tc.inferencePool,
+			}
+			if tc.shadowService != nil {
+				// Generate the service name if not provided
+				if tc.shadowService.Name == "" {
+					generatedName, err := InferencePoolServiceName(tc.inferencePool.Name)
+					assert.NoError(t, err)
+					tc.shadowService.Name = generatedName
+				}
+				objects = append(objects, tc.shadowService)
+			}
+			controller := setupController(t, objects...)
 
-	// Verify the service was created
-	var service *corev1.Service
-	var err error
-	assert.EventuallyEqual(t, func() bool {
-		svcName := "test-pool-ip-" + generateHash("test-pool", hashSize)
-		service, err = controller.client.Kube().CoreV1().Services("default").Get(t.Context(), svcName, metav1.GetOptions{})
-		if err != nil {
-			t.Logf("Service %s not found yet: %v", svcName, err)
-			return false
-		}
-		return service != nil
-	}, true)
+			var service *corev1.Service
+			expectedSvcName, err := InferencePoolServiceName(tc.inferencePool.Name)
+			if tc.expectedServiceName != "" {
+				assert.Equal(t, expectedSvcName, tc.expectedServiceName, fmt.Sprintf("Service name should be '%s'", tc.expectedServiceName))
+			}
+			assert.NoError(t, err)
+			assert.EventuallyEqual(t, func() bool {
+				var err error
+				service, err = controller.client.Kube().CoreV1().Services("default").Get(t.Context(), expectedSvcName, metav1.GetOptions{})
+				if err != nil {
+					t.Logf("Service %s not found yet: %v", expectedSvcName, err)
+					return false
+				}
+				return service != nil && service.Labels[constants.InternalServiceSemantics] == constants.ServiceSemanticsInferencePool
+			}, true)
 
-	assert.Equal(t, service.ObjectMeta.Labels[constants.InternalServiceSemantics], constants.ServiceSemanticsInferencePool)
-	assert.Equal(t, service.ObjectMeta.Labels[InferencePoolRefLabel], pool.Name)
-	assert.Equal(t, service.OwnerReferences[0].Name, pool.Name)
-	assert.Equal(t, service.Spec.Ports[0].TargetPort.IntVal, int32(8080))
-	assert.Equal(t, service.Spec.Ports[0].Port, int32(54321)) // dummyPort + i
+			for key, expectedValue := range tc.expectedLabels {
+				assert.Equal(t, service.Labels[key], expectedValue, fmt.Sprintf("Label '%s' should have value '%s'", key, expectedValue))
+			}
+			for key, expectedValue := range tc.expectedAnnotations {
+				assert.Equal(t, service.Annotations[key], expectedValue, fmt.Sprintf("Annotation '%s' should have value '%s'", key, expectedValue))
+			}
+			assert.Equal(t, service.Spec.Ports[0].Port, int32(54321)) // dummyPort + i
+			assert.Equal(t, service.Spec.Ports[0].TargetPort.IntVal, tc.expectedTargetPort)
+			assert.Equal(t, service.OwnerReferences[0].Name, tc.inferencePool.Name)
+		})
+	}
 }
