fix(kubernetes): cache unstructured resources and disable deep copy

[aponysus]

What type of PR is this?
fix(kubernetes)

What this PR does / why we need it:
This PR improves performance when listing unstructured extension resources by:

• enabling cache-backed reads for unstructured resources via client.CacheOptions{Unstructured: true} on the manager client, and
• using client.UnsafeDisableDeepCopy on the unstructured List() call to avoid per-object deep copies.

Safety: the listed objects are treated as read-only in this path, so UnsafeDisableDeepCopy is safe here.
Scope: I intentionally did not apply client.UnsafeDisableDeepCopy to the unstructured List in internal/provider/kubernetes/controller.go because processExtensionServerPolicies mutates the listed objects (e.g., deletes status and later writes policy.Object["status"]). That path would require per-item copying to remain safe.

Which issue(s) this PR fixes:
Fixes #7626

Release Notes: No

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.53%. Comparing base (626a08a) to head (82047e3).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/provider/kubernetes/filters.go	0.00%	0 Missing and 2 partials ⚠️

❌ Your patch status has failed because the patch coverage (0.00%) is below the target coverage (60.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7822   +/-   ##
=======================================
  Coverage   73.52%   73.53%           
=======================================
  Files         237      237           
  Lines       35653    35653           
=======================================
+ Hits        26214    26216    +2     
+ Misses       7576     7574    -2     
  Partials     1863     1863           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jukie]

Did you take a pprof to confirm and if so could you include the results please?

[aponysus]

Did you take a pprof to confirm and if so could you include the results please?

I tried to validate this with the project’s make benchmark workflow (kind + nighthawk) per the docs.

I was able to get the benchmark harness to create the proxy LB service (envoy-benchmark-test-benchmark-0520098c, VIP 172.25.0.201:8081), but the run consistently times out on the HTTP readiness checks. Debugging indicates the service endpoint becomes stale / has no backing pod IP (e.g. Endpoints shows 10.244.0.10:8081 but there is no pod with that IP), so requests never get a response and the benchmark aborts/cleans up.

Given that, I don’t currently have a reliable way to produce meaningful before/after benchmark numbers in my environment.

If you have a preferred/reliable benchmark setup (or can run make benchmark on your side), I’m happy to re-run with any specific configuration you recommend. Alternatively, since the helm install for benchmarks enables pprof (config.envoyGateway.admin.enablePprof=true), I can capture CPU/heap profiles from the control-plane during a workload you recommend and post those results instead.

[arkodg]

hey @aponysus, looks like there's also a WIP for this issue #7704, since it was raised earlier, prefer prioritizing that PR in.
It did have a stale help-wanted tag, which wasnt removed and caused confusion, sorry about that

[aponysus]

hey @aponysus, looks like there's also a WIP for this issue #7704, since it was raised earlier, prefer prioritizing that PR in. It did have a stale help-wanted tag, which wasnt removed and caused confusion, sorry about that

Thanks, I see #7704, but it doesn’t include the filters.go change from #7626 (using client.UnsafeDisableDeepCopy on the unstructured List() call).

My PR includes both pieces from the issue:

1. enable cache-backed reads for unstructured resources (without clobbering existing cache options), and
2. apply client.UnsafeDisableDeepCopy only on the specific List() call in filters.go (read-only path).

Happy to close this PR if you’d prefer to consolidate into #7704. I can cherry-pick my commits onto #7704 or open a small follow-up PR that only adds the filters.go change. What do you prefer?

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	82047e3
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/6972accc712ee10008f31011
😎 Deploy Preview	https://deploy-preview-7822--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[arkodg]

hey @aponysus wanna rebase on top of #7704 ?

[Inode1]

@aponysus are you working on this?

[aponysus]

@arkodg and @Inode1 Sorry, I missed this. Yes, I'll rebase on #7704

[aponysus]

Rebasing onto upstream/main (includes merged #7704) as requested. No functional change from previous description above.

[aponysus]

Since #7704 added client.Options.Cache.Unstructured=true, I removed that from my change. Now this PR is isolated to applying client.UnsafeDisableDeepCopy only on the specific List() call in filters.go, which was specified in #7626

[jukie]

LGTM thanks!

[zirain]

/retest