Ensure EndpointSlice exist if Endpoint is found

[tnqn]

What type of PR is this?
/kind bug

What this PR does / why we need it:
The EndpointSlice for masters was not created after enabling EndpointSlice feature on a pre-existing cluster. This was because the Endpoint object had been created and ReconcileEndpoints would skip creating or updating it after EndpointSlice feature is enabled.

This patch ensures EndpointSlice is consistent with Endpoints after the reconciler reconciles Endpoints even if Endpoints is unchanged. It also avoids an update if the desired EndpointSlice matches the existing one.

Which issue(s) this PR fixes:

Fixes #84419

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Fix the bug that EndpointSlice for masters wasn't created after enabling EndpointSlice feature on a pre-existing cluster.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[k8s-ci-robot]

Hi @tnqn. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tnqn]

/assign @robscott

[robscott]

Hey @tnqn, thanks for catching this! Looks like a good fix on first glance, will try to take a closer look at this tomorrow.
/ok-to-test

[robscott]

/priority important-soon

[tnqn]

@robscott thanks for reviewing it.
/retest

[robscott]

Hey @tnqn, this looks great, just have a suggestion on how to simplify the tests you're adding. I spun up an e2e cluster with this branch and the upgrade worked as expected simply by toggling the EndpointSlice feature flag on the apiserver manifest. Thanks for the fix!

[robscott]

All of this test logic can actually be simplified because the EndpointSlice created here will always have a consistent name (nameParam here, but generally just kubernetes). I think it would make sense to test based on the existence of that EndpointSlice specifically with a Get call instead of a List.

[tnqn]

Makes sense. I have updated, PTAL.

[robscott]

Hey @tnqn, this looks great, I think it could be simplified one more step to just use the deepEqual whether or not the expected value was nil. Something like what's done above for Endpoints: https://github.com/kubernetes/kubernetes/blob/master/pkg/master/reconcilers/endpointsadapter_test.go#L262-L264

[tnqn]

Sure, done.

[tnqn]

@robscott thanks for the suggestion!

[robscott]

Thanks for catching this @tnqn! This fix works well for me.

/lgtm

[robscott]

@liggitt are you able to take a look here? I think you helped review/approve my initial PR here back in the day. This looks like a good fix that should help anyone upgrading to a cluster with EndpointSlices enabled.

/assign @liggitt

[liggitt]

This was because the Endpoint object had been created and ReconcileEndpoints would skip creating or updating it after EndpointSlice feature is enabled.

Can you clarify this point? Does the endpoints controller not reconcile the kube-system/kubernetes Endpoints object to an EndpointsSlice object? Or is the issue that the masters must bootstrap their EndpointsSlice object just like their Endpoints object in order to make sure the API server is reachable from wherever the kube-controller-manager is running?

[tnqn]

This was because the Endpoint object had been created and ReconcileEndpoints would skip creating or updating it after EndpointSlice feature is enabled.

Can you clarify this point? Does the endpoints controller not reconcile the kube-system/kubernetes Endpoints object to an EndpointsSlice object?
Or is the issue that the masters must bootstrap their EndpointsSlice object just like their Endpoints object in order to make sure the API server is reachable from wherever the kube-controller-manager is running?

The endpoints controller is not in charge of the default/kubernetes Endpoints and EndpointSlice:

kubernetes/pkg/controller/endpointslice/endpointslice_controller.go

Lines 260 to 264 in 8d8a068

	if service.Spec.Selector == nil {
	// services without a selector receive no endpoint slices from this controller;
	// these services will receive endpoint slices that are created out-of-band via the REST API.
	return nil
	}

It's the EndpointReconciler (leaseEndpointReconciler by default) in masters reconciling its Endpoints and EndpointSlice:

kubernetes/pkg/master/reconcilers/lease.go

Line 162 in 8d8a068

func (r *leaseEndpointReconciler) doReconcile(serviceName string, endpointPorts []corev1.EndpointPort, reconcilePorts bool) error {

I think it's the same issue you mentioned that EndpointSlices for masters must be created by themselves to make kube-controller-manager reach them.

[tnqn]

/retest

[tnqn]

/retest

[liggitt]

/approve

@robscott has final lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tnqn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/master/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tnqn]

Thanks! @liggitt

/retest

[robscott]

Thanks for all your work on this @tnqn!

/lgtm

[robscott]

/retest