[CFP-39876]: Implement global namespace support for CEP, identities and slices

[anubhabMajumdar]

Description

This PR is laying the foundation for cilium/design-cfps#74 .

Adds namespace-level filtering for a subset of ClusterMesh resource synchronization using the clustermesh.cilium.io/global annotation, allowing administrators to control which namespaces export resources to the kvstore. Resources handled in this PR are CiliumEndpoints, CiliumIdentities and CiliumEndpointSlices.

Key changes

• New clustermesh.cilium.io/global annotation to mark namespaces for export
• Namespace manager tracks global status with --clustermesh-default-global-namespace flag (default: true)
• Resource synchronizers filter resource events based on namespace global status
• Automatic cleanup when resources move out of global namespaces
• Namespace event handling triggers resynchronization of affected resources (ex: annotating namespace as global or local)

Behavior

• All namespaces are global by default (backward compatible), i.e., --clustermesh-default-global-namespace=true by default
• Opt-out: add clustermesh.cilium.io/global: "false" to namespace
• When flag is false, namespaces must opt-in with annotation set to "true"
• Resources automatically removed from kvstore when namespace becomes non-global
• The flag is currently hidden from users as feature is incomplete

Testing Done

• Setup two kind clusters using make kind-clustermesh
• Build and install clustermesh with enable-default-global-namespace=false
• Exec into kvstoremesh container k exec -it deploy/clustermesh-apiserver -c kvstoremesh --context=kind-clustermesh2 --namespace=kube-system -- clustermesh-apiserver shell
• Check clustermesh kvstore using kvstore/list --keys-only --output=string (no identities or endpoints)
• Annotate default namespace in both cluster
• Check clustermesh kvstore using kvstore/list --keys-only --output=string (identities and endpoints present now)
• Created/Deleted deployments to check kvstore is updated accordingly
• Deployed Hubble to make sure during cross cluster communication, flow logs are accurate (with annotation, I see pod -> pod flows, but w/o annotation pod->IP flows)
• New unit tests
• New E2E tests using the Hive script

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

Fixes: #issue-number

<!-- Enter the release note text here if needed or remove this section! -->

[anubhabMajumdar]

Fixing the lint issues.

[youngnick]

Still some lint issues remaining, you'll need to fix both the goimports and slog fields not being constant errors.

[MrFreezeex]

Thanks! 🙏 The approach seems to make sense to me overall, I left an initial review with some comment inline.

Also I think it would makes sense to split a bit more your commits, the namespace helpers seems to be an obvious candidate for this at least 🤔,

[giorio94]

Thanks @anubhabMajumdar for iterating on this!

I've started reviewing the new approach, and left a few initial high level comments. Overall it looks better to me compared to the previous ones, but I still have a few reservations detailed inline.

A few more general comments:

• Make sure that the commits pass the basic linting checks before marking a PR ready for review, as there are currently multiple failures (and also compilation errors in tests)
• Make sure that the implementation is actually working; the clustermesh-apiserver is currently crashing due to unmet hive dependencies;
• The clustermesh-apiserver package makes already use of script tests. Please introduce one or more new script test file to validate the correct functioning of the new namespace filtering E2E, to increase confidence in the correctness of the implementation and prevent future regressions.
• The current implementation is entirely included in a single large commit, which makes the review process complex. Please split it into multiple commits, each complemented by a commit message to detail the rationale behind each set of changes. See the amazing split done by @jshr-w in #38388 as an example.

[anubhabMajumdar]

Fixing the lint issues and will add one more commit for the script tests.

[anubhabMajumdar]

@MrFreezeex @giorio94

Thanks for your reviews. I have:

• addressed all comments
• split changes into granular commits
• added new e2e tests for cluster mesh

Cheers!

[gandro]

Helm structure-wise this looks okay to me. I do have some concerns regarding the naming and enabling this by default

[anubhabMajumdar]

/test

[anubhabMajumdar]

/test

Fixed one test issues. Rest seems to stem from the configurations to the helm chart, but that was removed.

[anubhabMajumdar]

/test

[anubhabMajumdar]

/test

Had to rebase to fix the last commit length. Will restart the tests again.

[anubhabMajumdar]

/test

[MrFreezeex]

Thanks the PR seems to be in a great shape overall, I left some minor question/comments about a few things in the code that I spotted

[anubhabMajumdar]

@giorio94 @MrFreezeex
Addressed your comments, let me know if this looks good. Thanks :-)

[giorio94]

Addressed your comments, let me know if this looks good. Thanks :-)

There's still one bug introduced in the last iteration, but looks good to me otherwise.

[anubhabMajumdar]

Addressed your comments, let me know if this looks good. Thanks :-)

There's still one bug introduced in the last iteration, but looks good to me otherwise.

Thanks for reviewing this multiple times!

[anubhabMajumdar]

/test

[anubhabMajumdar]

/ci-delegated-ipam

[giorio94]

/lgtm, thanks!

[MrFreezeex]

Thanks!

[anubhabMajumdar]

Thanks @MrFreezeex @giorio94 @youngnick for repeated reviews. Cheers!