resolver: migrate to EndpointSlice API

[rethil]

Description

Resolver is using deprecated Endpoint API (as for kubernetes 1.33), which should be replaced with EndpointSlice API (just like operator).
This PR also adds separate ServiceAccount for resolver (it was using default) and cleans up RBAC permissions for it.

Fixes #164

Type of change

Please delete options that are not relevant.

• [x Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

• local testing

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• A PR is open to update the helm chart (link)[https://github.com/truefoundry/elasti/tree/main/charts/elasti] if applicable
• I have updated the CHANGELOG.md file with the changes I made

Summary by CodeRabbit

• New Features

  • Added a dedicated ServiceAccount for the resolver component with customizable annotations.
  • Updated configuration to allow specifying annotations for the resolver's ServiceAccount.
  • Introduced new end-to-end test steps for scaling target deployments, patching deployments, simulating ElastiService, disabling autoscaling, and asserting service modes.

• Bug Fixes

  • Adjusted role bindings to use the new resolver-specific ServiceAccount instead of the default.

• Refactor

  • Updated permission rules to limit resolver access to only listing EndpointSlices, reducing unnecessary permissions.
  • Switched service readiness checks to use EndpointSlices for improved compatibility and reliability.
  • Simplified deployment readiness checks by relying on ready replicas count.
  • Streamlined installation process in end-to-end tests using Helm upgrade/install.
  • Enhanced test suite with new reset script integration and improved test orchestration.

[coderabbitai]

Walkthrough

This change updates the Elasti Helm chart and resolver to use Kubernetes EndpointSlices instead of the deprecated Endpoints API. It introduces a dedicated ServiceAccount for the resolver, adjusts RBAC permissions to only allow listing EndpointSlices, and updates the resolver's logic and configuration to reflect these changes.

Changes

Cohort / File(s)	Change Summary
Helm Chart: ServiceAccount and RBAC charts/elasti/templates/serviceaccount.yaml, charts/elasti/templates/resolver-additional-access-binding-rbac.yaml, charts/elasti/templates/resolver-additional-access-rbac.yaml, charts/elasti/templates/deployment.yaml, charts/elasti/values.yaml	- Added a dedicated ServiceAccount for the resolver. - Updated ClusterRoleBinding to bind to the new resolver ServiceAccount. - Narrowed ClusterRole permissions to only allow listing EndpointSlices. - Set resolver deployment to use the new ServiceAccount. - Added configuration for resolver ServiceAccount annotations.
Resolver Logic Update pkg/k8shelper/ops.go, resolver/internal/throttler/throttler.go	- Replaced deprecated Endpoints API usage with EndpointSlices API in service readiness checks. - Updated function signatures and internal calls to use the new logic.
Deployment Readiness Check Simplification operator/internal/controller/opsDeployment.go	- Simplified deployment readiness check by using ReadyReplicas field instead of inspecting deployment conditions.
E2E Test Enhancements tests/e2e/tests/08-resolver-multiple-endpoints/*, tests/e2e/Makefile, tests/e2e/manifest/reset.sh	- Added multiple KUTTL test steps to scale target deployment, patch deployment, simulate ElastiService, disable scaling, and assert modes. - Simplified apply-elasti Makefile target to use Helm upgrade/install. - Added reset step for KEDA ScaledObject in reset script.

Sequence Diagram(s)

sequenceDiagram
    participant Throttler
    participant K8sHelper
    participant KubernetesAPI

    Throttler->>K8sHelper: CheckIfServiceEndpointSliceActive(ns, svc)
    K8sHelper->>KubernetesAPI: List EndpointSlices (label: kubernetes.io/service-name=svc)
    KubernetesAPI-->>K8sHelper: Return EndpointSlice(s)
    K8sHelper->>Throttler: Return readiness status (true/false)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Replace deprecated Endpoints API with EndpointSlices API in resolver (#164)	✅
Update RBAC to grant only necessary permissions for EndpointSlices (#164)	✅
Ensure no deprecation warnings appear in resolver logs on Kubernetes v1.33+ (#164)	✅

Suggested reviewers

• shubhamrai1993

Poem

A rabbit hops through YAML fields,
Updating charts for modern yields.
EndpointSlices now in play,
Deprecated Endpoints hop away!
ServiceAccounts, RBAC neat,
Elasti’s updates—oh so sweet!
🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d399a83 and 05d4db4.

📒 Files selected for processing (7)

• charts/elasti/templates/deployment.yaml (1 hunks)
• charts/elasti/templates/resolver-additional-access-binding-rbac.yaml (1 hunks)
• charts/elasti/templates/resolver-additional-access-rbac.yaml (1 hunks)
• charts/elasti/templates/serviceaccount.yaml (1 hunks)
• charts/elasti/values.yaml (1 hunks)
• pkg/k8shelper/ops.go (2 hunks)
• resolver/internal/throttler/throttler.go (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

charts/elasti/templates/resolver-additional-access-binding-rbac.yaml

[error] 13-13: too many spaces inside braces

(braces)

---

[error] 13-13: too many spaces inside braces

(braces)

charts/elasti/templates/resolver-additional-access-rbac.yaml

[error] 8-8: wrong indentation: expected 2 but found 0

(indentation)

charts/elasti/templates/serviceaccount.yaml

[error] 9-9: too many spaces inside braces

(braces)

---

[error] 14-14: too many spaces inside braces

(braces)

---

[error] 14-14: too many spaces inside braces

(braces)

---

[error] 17-17: too many spaces inside braces

(braces)

---

[error] 19-19: too many spaces inside braces

(braces)

🔇 Additional comments (9)

resolver/internal/throttler/throttler.go (1)

102-102: LGTM! Correctly migrates to EndpointSlice API.

The method call has been properly updated from CheckIfServiceEndpointActive to CheckIfServiceEndpointSliceActive, aligning with the migration from the deprecated Kubernetes Endpoint API to the EndpointSlice API. The rest of the function logic remains appropriately unchanged.

charts/elasti/templates/deployment.yaml (1)

137-137: LGTM! Properly assigns dedicated ServiceAccount.

The resolver deployment now uses a dedicated ServiceAccount instead of the default one, which improves security posture by enabling more granular RBAC permissions. The naming convention follows Kubernetes best practices.

charts/elasti/values.yaml (1)

71-72: LGTM! Adds proper ServiceAccount configuration.

The addition of the serviceAccount section with an empty annotations map provides a clean configuration structure for the new resolver ServiceAccount, following standard Helm chart patterns.

charts/elasti/templates/resolver-additional-access-binding-rbac.yaml (1)

13-14: LGTM! Correctly binds to dedicated ServiceAccount.

The ClusterRoleBinding now properly references the new dedicated resolver ServiceAccount instead of the default one, ensuring the resolver component gets the appropriate permissions.

Note: The static analysis warning about "too many spaces inside braces" is a false positive - the {{ }} syntax is correct Helm templating.

charts/elasti/templates/resolver-additional-access-rbac.yaml (1)

8-10: Excellent security improvement with EndpointSlice API migration.

The RBAC permissions have been significantly refined following the principle of least privilege - replacing broad permissions on multiple resources with focused "list" access to EndpointSlices in the correct discovery.k8s.io API group. This aligns perfectly with the code changes that now use EndpointSlices instead of the deprecated Endpoints API.

charts/elasti/templates/serviceaccount.yaml (2)

10-19: LGTM! Good separation of concerns with dedicated ServiceAccount.

The addition of a separate ServiceAccount for the resolver component follows security best practices by implementing the principle of least privilege. Each component now has its own identity with tailored RBAC permissions.

---

9-9: Ignore yamllint false positives for Helm template syntax.

The yamllint errors about "too many spaces inside braces" are false positives. The {{ }} syntax is standard Helm templating and the spacing follows Helm best practices for readability.

Also applies to: 19-19

pkg/k8shelper/ops.go (2)

8-8: LGTM! Correct import for EndpointSlice API.

The import of discoveryv1 API is appropriate for the migration from deprecated Endpoints to EndpointSlices.

---

39-43: LGTM! Correct API usage and label selector.

The function correctly uses the DiscoveryV1 API and the proper label selector discoveryv1.LabelServiceName to filter EndpointSlices by service name.

[coderabbitai]

Actionable comments posted: 9

🔭 Outside diff range comments (1)

tests/e2e/tests/08-resolver-multiple-endpoints/03-disable-scaling.yaml (1)

1-8: ScaledObject manifest is invalid – missing required spec or use a patch step instead.

ScaledObject CRD requires a non-empty spec (at least scaleTargetRef & one trigger).
Applying this manifest will fail server-side validation and abort the test run.

If the goal is merely to pause an already existing ScaledObject, switch the file to a KUTTL patch step:

-apiVersion: keda.sh/v1alpha1
-kind: ScaledObject
-metadata:
-  name: target-scaled-object
-  namespace: target
-  annotations:
-    autoscaling.keda.sh/paused: "true"
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  # Pause KEDA autoscaling for the existing ScaledObject
+  - command: kubectl annotate scaledobject.keda.sh target-scaled-object -n target autoscaling.keda.sh/paused=true --overwrite

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b6055c and a282cf3.

📒 Files selected for processing (12)

• operator/internal/controller/opsDeployment.go (1 hunks)
• tests/e2e/Makefile (1 hunks)
• tests/e2e/manifest/reset.sh (1 hunks)
• tests/e2e/tests/08-resolver-multiple-endpoints/00-scale-to-0-target.yaml (1 hunks)
• tests/e2e/tests/08-resolver-multiple-endpoints/01-patch-deployment.yaml (1 hunks)
• tests/e2e/tests/08-resolver-multiple-endpoints/02-patch-elasti-service.yaml (1 hunks)
• tests/e2e/tests/08-resolver-multiple-endpoints/03-disable-scaling.yaml (1 hunks)
• tests/e2e/tests/08-resolver-multiple-endpoints/04-scale-to-1-target.yaml (1 hunks)
• tests/e2e/tests/08-resolver-multiple-endpoints/05-assert-mode-proxy.yaml (1 hunks)
• tests/e2e/tests/08-resolver-multiple-endpoints/06-scale-to-2-target.yaml (1 hunks)
• tests/e2e/tests/08-resolver-multiple-endpoints/07-assert-mode-serve.yaml (1 hunks)
• tests/e2e/tests/08-resolver-multiple-endpoints/99-reset.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: in kubeelasti e2e tests, kuttl teststep scripts do not run inside the kuttl container - they run in ...

Learnt from: rethil
PR: truefoundry/KubeElasti#154
File: tests/e2e/tests/06-resolver-endpoint-sync/05-check-endpointslice-with-resolver-scaled-to-0.yaml:16-17
Timestamp: 2025-07-21T19:06:12.083Z
Learning: In KubeElasti E2E tests, kuttl TestStep scripts do not run inside the kuttl container - they run in the host environment or separate execution context, so external dependencies like `jq` should be documented as E2E test prerequisites rather than worrying about container image contents.

Applied to files:

• tests/e2e/tests/08-resolver-multiple-endpoints/99-reset.yaml
• tests/e2e/manifest/reset.sh
• tests/e2e/Makefile
• tests/e2e/tests/08-resolver-multiple-endpoints/07-assert-mode-serve.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/05-assert-mode-proxy.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/00-scale-to-0-target.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/04-scale-to-1-target.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/01-patch-deployment.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/06-scale-to-2-target.yaml

📚 Learning: `jq` should be added as a prerequisite for running kubeelasti e2e tests since it's used in test scri...

Learnt from: rethil
PR: truefoundry/KubeElasti#154
File: tests/e2e/tests/06-resolver-endpoint-sync/05-check-endpointslice-with-resolver-scaled-to-0.yaml:16-17
Timestamp: 2025-07-21T19:06:12.083Z
Learning: `jq` should be added as a prerequisite for running KubeElasti E2E tests since it's used in test scripts like `tests/e2e/tests/06-resolver-endpoint-sync/05-check-endpointslice-with-resolver-scaled-to-0.yaml` for JSON parsing.

Applied to files:

• tests/e2e/tests/08-resolver-multiple-endpoints/99-reset.yaml
• tests/e2e/manifest/reset.sh
• tests/e2e/Makefile
• tests/e2e/tests/08-resolver-multiple-endpoints/07-assert-mode-serve.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/05-assert-mode-proxy.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/00-scale-to-0-target.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/04-scale-to-1-target.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/01-patch-deployment.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/02-patch-elasti-service.yaml
• tests/e2e/tests/08-resolver-multiple-endpoints/06-scale-to-2-target.yaml

📚 Learning: the elastiservice.spec.triggers[].metadata.query field in kubeelasti has a broader attack vector for...

Learnt from: rethil
PR: truefoundry/KubeElasti#153
File: pkg/scaling/scalers/prometheus_scaler.go:46-46
Timestamp: 2025-07-21T17:07:03.263Z
Learning: The ElastiService.spec.triggers[].metadata.query field in KubeElasti has a broader attack vector for Prometheus query injection compared to the uptimeFilter parameter, as it allows arbitrary Prometheus queries to be executed.

Applied to files:

• tests/e2e/tests/08-resolver-multiple-endpoints/02-patch-elasti-service.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: test (/home/runner/work/KubeElasti/KubeElasti/resolver)
• GitHub Check: test (/home/runner/work/KubeElasti/KubeElasti/operator)
• GitHub Check: test (/home/runner/work/KubeElasti/KubeElasti/pkg)
• GitHub Check: Run Kuttl E2E Tests

🔇 Additional comments (3)

tests/e2e/tests/08-resolver-multiple-endpoints/02-patch-elasti-service.yaml (1)

7-14: Prometheus trigger uses a literal vector(1) query – confirm this is intentional.

vector(1) always returns 1 and effectively disables threshold-based scaling. If the intent is to keep the service perpetually “up” for this scenario, leave as-is; otherwise consider a more realistic metric to avoid masking issues in future tests.

tests/e2e/Makefile (1)

89-89: LGTM! Excellent simplification using Helm best practices.

The replacement of the multi-step conditional installation process with helm upgrade --install --create-namespace is a significant improvement. This single command handles namespace creation, installation, and upgrades idempotently, eliminating the need for manual deployment existence checks and template rendering.

operator/internal/controller/opsDeployment.go (1)

30-30: LGTM! Cleaner readiness check logic.

The direct check on ReadyReplicas > 0 is more straightforward than the previous condition logic. This field specifically tracks ready and available replicas, making it the ideal metric for determining when to switch to serve mode.

[rethil]

Hey @ramantehlan & @shubhamrai1993, this one is ready for review.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1224c45 and 8093c05.

📒 Files selected for processing (2)

• charts/elasti/templates/deployment.yaml (1 hunks)
• charts/elasti/values.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: test (/home/runner/work/KubeElasti/KubeElasti/operator)
• GitHub Check: test (/home/runner/work/KubeElasti/KubeElasti/resolver)
• GitHub Check: test (/home/runner/work/KubeElasti/KubeElasti/pkg)
• GitHub Check: golangci-lint (/home/runner/work/KubeElasti/KubeElasti/operator)
• GitHub Check: Run Kuttl E2E Tests

🔇 Additional comments (2)

charts/elasti/templates/deployment.yaml (1)

139-142: Resolver ServiceAccount and RBAC binding confirmed
Both the ServiceAccount and its ClusterRoleBinding are present in the same release, so the Deployment will have its SA rendered and bound before rollout:

• charts/elasti/templates/serviceaccount.yaml (lines 11–17): defines
  name: {{ include "elasti.fullname" . }}-resolver
• charts/elasti/templates/resolver-additional-access-binding-rbac.yaml (lines 12–14): binds that SA as a subject of the ClusterRoleBinding

Helm’s default ordering guarantees ServiceAccounts and RBAC objects are created before Deployments, and there are no helm.sh/hook annotations on these resources.

charts/elasti/values.yaml (1)

90-92: Configuration addition looks good

Adding an annotations map keeps the chart extensible and matches the controller’s configuration block. No further action required.