/test

While this is the last "big step" to make mcs-api a thing in Cilium note that there is still a few things to do, like mainly the following things:

• Add a user documentation
• Add some integration tests (planning to check out mcs-api conformance test here https://github.com/kubernetes-sigs/mcs-api/tree/master/conformance, which is also being improved by other mcs-api implementers but might not be ready right now, will check with k8s sig-multicluster folks if it is)
• During initial testing of this I think I spotted that ServiceExportsSynced/ServiceSynced seems to actually not wait for a full initial sync, I need to check a bit more what's happening here and create a related issue and/or PR depending of what I am able to find EDIT: After double checking this doesn't seems to be true
• Probably adding service annotation synchronization as well (more details on that later, I didn't want to do that here since I need to also update the export side and types and this PR is already large enough)
• Most likely updating mcs api version as we should get a beta version in the coming month(s)
• And lastly but this is not directly related to cilium, would like to see with kubernetes sig-multicluster if there wouldn't be a way to simplify the coredns multicluster plugin installation/activation (https://github.com/coredns/multicluster/) a bit further as people need to rebuild a coredns docker image with this included right now.

And that's probably all, at least from what I can think of right now :D.

Note that if you would like to try this locally you need to install MCS-API crds (https://github.com/kubernetes-sigs/mcs-api/tree/master/config/crd), have this fix #34295, enable clustermesh.enableMCSAPISupport from helm and then if you apply the examples from this PR you should be able to see the ServiceImports + derived services (named derived-$hash). There is a bit more high level schema here #32712 as well for more context.

I don't see any objects with OwnerReferences. Is that intended? Of course, OwnerReferences doesn't work cross-cluster, so ignore this if there are no "dependent" objects in the same cluster.

I've labeled this PR as release-note/major, given that it looks to me the last big chunk of work to introduce the support for MCS-API. Would you mind generalizing a bit the release note part of the PR description, to emphasize that aspect?

/test

/ci-clustermesh

Yes the KEP is currently saying that the condition should be on every service exports whether or not the local service is involved. There is two parts that may change in the KEP though:

• I am trying to add something to the KEP conditions to encode whether or not the local service is involved in the conflict (while still keeping the Conflict conditions everywhere)

• The KEP may relax the fact that this conflict should really appear on every ServiceExport as some implementations (Submariner mainly for now) might not be able to technically do that due to their design (but we do have that info, so probably no change for us on this part).

This made me check again what I am doing for the conflict checking on other fields than the port and indeed it was only publishing a conflict if the local service is different 🤦‍♂️ so I did fixed that too. So basically in my last push I essentially applied your suggestion and corrected the non port checking to also be that way!

Perfect, thanks for the clarification and the updates!

/test

/test

(rebasing for the CI; there was no conflict/other changes)

/test

Note that you'll need to rebase once more to fix the linting issues from testifylint as #35237 got just merged. Sorry for the inconvenience.

Note that you'll need to rebase once more to fix the linting issues from testifylint as #35237 got just merged. Sorry for the inconvenience.

No worries, thanks for letting me know 🙏!

/test

/test

/ci-integration