[CFP-39876]: Add namespace filtering to service sync and MCS API service exports

[jimassa]

Description

Follow-up to #42905, continuing the implementation of CFP-74.

Adds namespace filtering to service sync and MCS-API ServiceExport sync. Services and ServiceExports are only synced to the kvstore when they belong to a "global" namespace.

By default all namespaces are global. Set --clustermesh-default-global-namespace=false to require explicit clustermesh.cilium.io/global="true" annotation.

Changes

operator/watchers/service_sync.go

• Add namespace event watcher to re-sync services when namespace global status changes
• Filter services based on namespace global status before syncing

pkg/clustermesh/mcsapi/serviceexportsync.go

• Add namespace event watcher to re-sync ServiceExports when namespace global status changes
• Filter ServiceExports based on namespace global status before syncing

Tests

• operator/watchers/testdata/globalnamespace-services.txtar: Script test for service sync filtering (including dynamic namespace changes)
• pkg/clustermesh/mcsapi/serviceexportsync_test.go: Unit test for ServiceExport sync filtering

Manual Testing on Kind Clusters

Tested on two kind clusters with ClusterMesh enabled and --clustermesh-default-global-namespace=false:

Setup

• Two kind clusters using make kind-clustermesh and make kind-clustermesh-images
• Cilium installed with ClusterMesh enabled, namespace filtering flag, and MCS API enabled

Service Namespace Filtering Results

Test	Result
Created global service in default namespace (without namespace annotation)	NOT synced to kvstore
Annotated namespace with clustermesh.cilium.io/global=true	Service synced to kvstore
Created another global service	Immediately synced to kvstore
Removed namespace annotation	Services removed from kvstore

ServiceExport Namespace Filtering Results (MCS API)

Test	Result
Created ServiceExport in default namespace (without namespace annotation)	NOT synced to kvstore
Annotated namespace with clustermesh.cilium.io/global=true	ServiceExport synced to kvstore
Removed namespace annotation	ServiceExport removed from kvstore

Verification Commands Used

# Check services in kvstore
kubectl exec deploy/clustermesh-apiserver -c kvstoremesh \
    --context=kind-clustermesh1 --namespace=kube-system -- \
    clustermesh-apiserver shell kvstore/list cilium/state/services

# Check serviceexports in kvstore
kubectl exec deploy/clustermesh-apiserver -c kvstoremesh \
    --context=kind-clustermesh1 --namespace=kube-system -- \
    clustermesh-apiserver shell kvstore/list cilium/state/serviceexports

---

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• All commits are signed off. See the section Developer's Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Thanks for contributing!

Add global namespace filtering support to service sync and MCS API service exports for improved ClusterMesh scalability

[maintainer-s-little-helper]

Commit 6a96074 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commit 6a96074 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commit ec7ea5b does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[maintainer-s-little-helper]

Commit d569d22 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

[MrFreezeex]

Hi 👋, thanks for the PR, could you cleanup your git history so that it only includes the relevant commit, thanks!

[anubhabMajumdar]

Left comments for service_sync.go. Lot of the comments apply for serviceexportsync.go too.
Also, can you add new tests under testdata to cover the new scenarios?
Thanks!

[anubhabMajumdar]

/ci-kpr

[giorio94]

Please apply the patch from the inline comment to fix the unreliable test. Looks good to me otherwise.

[giorio94]

Thanks!

[giorio94]

/test

[giorio94]

@jimassa It looks like this PR picked a conflict, and will need to be rebased.

[giorio94]

/test

[giorio94]

@cilium/operator Gentle ping 🙏

[anubhabMajumdar]

/ci-l3-l4