Use shorter DNS name for pod-to-pod networking (#764)

<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md)
    for Pulumi's contribution guidelines.

    Help us merge your changes more quickly by adding more details such
    as labels, milestones, and reviewers.-->

### Proposed changes

<!--Give us a brief description of what you've done and what it solves.
-->

Eliminates the use of the hardcoded DNS suffix "svc.cluster.local", e.g.
to support ["VPC scope
DNS"](https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns#vpc_scope_dns).

### Workspace RPC
For workspace RPC connectivity, the operator now uses the
"namespace-scoped" short name of the workspace pod, e.g.
`guestbook-workspace.default` rather than
`guestbook-workspace.default.svc.cluster.local.`.

```
❯ kubectl get workspace
NAME                      IMAGE                           READY   ADDRESS
kubernetes-py-guestbook   pulumi/pulumi:3.134.1-nonroot   True    kubernetes-py-guestbook-workspace.default:50051
```

This approach is an improvement but isn't ideal for cross-cluster
communication. A possible future enhancement would be to fully resolve
the address to be persisted in the status block (e.g. to
`guestbook-workspace.default.svc.cluster1.`).

See [DNS for Services and
Pods](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#namespaces-of-services)
for more information, which says:
> In summary, a Pod in the `test` namespace can successfully resolve
either `data.prod` or `data.prod.svc.cluster.local`.


### Program Artifact

The program artifact is fetched by workspace pods from the controller
itself, based on the configured advertised address. This PR shortens the
advertised address used by the default installation manifest, and
updates the Helm chart to support a configurable override.

```
❯ kubectl get program
NAME          AGE   URL
random-yaml   28m   http://pulumi-kubernetes-operator.pulumi-kubernetes-operator:80/programs/default/random-yaml
```


### Related issues (optional)

<!--Refer to related PRs or issues: #1234, or 'Fixes #1234' or 'Closes
#1234'.
Or link to full URLs to issues or pull requests in other GitHub
repositories. -->

Closes #759

CHANGELOG.md

@@ -7,6 +7,7 @@ CHANGELOG
 - Stack Controller: fix an issue where new commits weren't detected when using git sources. https://github.com/pulumi/pulumi-kubernetes-operator/issues/762
 - Ensure cleanup of Stack in foreground deletion. [#760](https://github.com/pulumi/pulumi-kubernetes-operator/pull/760)
 - Register API resources into the "pulumi" category [#765](https://github.com/pulumi/pulumi-kubernetes-operator/pull/765)
+- Use shorter DNS name for pod-to-pod networking. [#764](https://github.com/pulumi/pulumi-kubernetes-operator/pull/764)
 
 ## 2.0.0-beta.2 (2024-11-11)
 

deploy/helm/pulumi-operator/templates/_helpers.tpl

@@ -60,3 +60,14 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the advertised address for the controller
+*/}}
+{{- define "pulumi-kubernetes-operator.advertisedAddress" -}}
+{{- if .Values.controller.advertisedAddress }}
+{{- .Values.controller.advertisedAddress }}
+{{- else }}
+{{- include "pulumi-kubernetes-operator.fullname" . }}.$(POD_NAMESPACE)
+{{- end }}
+{{- end }}

deploy/helm/pulumi-operator/templates/deployment.yaml

@@ -38,7 +38,7 @@ spec:
         - --leader-elect
         - --health-probe-bind-address=:8081
         - --metrics-bind-address=:8383
-        - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE).svc.cluster.local:80
+        - --program-fs-adv-addr={{ include "pulumi-kubernetes-operator.advertisedAddress" . }}:80
         - --zap-log-level={{ .Values.controller.logLevel }}
         - --zap-time-encoding=iso8601
         env:

deploy/helm/pulumi-operator/values.yaml

@@ -23,6 +23,8 @@ imagePullSecrets: ""
 controller:
   # -- Log Level ('debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity)
   logLevel: error
+  # -- the advertised address for the controller's service
+  # advertisedAddress: "pulumi-kubernetes-operator.pulumi-kubernetes-operator.svc.cluster.local"
 
 # -- Extra Environments to be passed to the operator
 extraEnv: []

deploy/yaml/install.yaml

@@ -28587,7 +28587,7 @@ spec:
         - --metrics-bind-address=:8443
         - --leader-elect
         - --health-probe-bind-address=:8081
-        - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE).svc.cluster.local:80
+        - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE):80
         - --zap-log-level=info
         - --zap-time-encoding=iso8601
         env:

operator/cmd/main_test.go

@@ -42,6 +42,10 @@ func TestDetermineAdvAddr(t *testing.T) {
 			addr: "0.0.0.0:9090",
 			want: fakehostname + ":9090",
 		},
+		{
+			addr: "fake.default:9090",
+			want: "fake.default:9090",
+		},
 		{
 			addr: "fake.default.svc.cluster.local:9090",
 			want: "fake.default.svc.cluster.local:9090",

operator/config/manager/manager.yaml

@@ -43,7 +43,7 @@ spec:
             - /manager
             - --leader-elect
             - --health-probe-bind-address=:8081
-            - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE).svc.cluster.local:80
+            - --program-fs-adv-addr=pulumi-kubernetes-operator.$(POD_NAMESPACE):80
             - --zap-log-level=info
             - --zap-time-encoding=iso8601
           ports:

operator/examples/random-yaml/workspace.yaml → operator/examples/auto/workspace.yaml

@@ -14,14 +14,9 @@ spec:
   image: pulumi/pulumi:3.134.1-nonroot
   securityProfile: restricted
   serviceAccountName: default
-
-  # git:
-  #   url: https://github.com/pulumi/examples.git
-  #   revision: 1e2fc471709448f3c9f7a250f28f1eafcde7017b
-  #   dir: random-yaml
-  flux:
-    url: http://source-controller.flux-system.svc.cluster.local./gitrepository/default/pulumi-examples/1e2fc471709448f3c9f7a250f28f1eafcde7017b.tar.gz
-    digest: sha256:6560311e95689086aa195a82c0310080adc31bea2457936ce528a014d811407a
+  git:
+    url: https://github.com/pulumi/examples.git
+    revision: 1e2fc471709448f3c9f7a250f28f1eafcde7017b
     dir: random-yaml
   env:
     - name: PULUMI_ACCESS_TOKEN

operator/examples/program/stack.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: random-yaml-program
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: random-yaml-program:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: random-yaml-program
+  namespace: default
+---
+apiVersion: pulumi.com/v1
+kind: Stack
+metadata:
+  name: random-yaml-program
+  namespace: default
+spec:
+  serviceAccountName: random-yaml-program
+  programRef:
+    name: random-yaml
+  stack: random-yaml-program
+  refresh: true
+  destroyOnFinalize: true
+  envRefs:
+    PULUMI_ACCESS_TOKEN:
+      type: Secret
+      secret:
+        name: pulumi-api-secret
+        key: accessToken
+  workspaceTemplate:
+    spec:
+      image: pulumi/pulumi:3.134.1-nonroot
+

operator/internal/controller/auto/workspace_controller.go

@@ -395,7 +395,7 @@ func nameForService(w *autov1alpha1.Workspace) string {
 }
 
 func fqdnForService(w *autov1alpha1.Workspace) string {
-	return fmt.Sprintf("%s.%s.svc.cluster.local", nameForService(w), w.Namespace)
+	return fmt.Sprintf("%s.%s", nameForService(w), w.Namespace)
 }
 
 func labelsForStatefulSet(w *autov1alpha1.Workspace) map[string]string {

operator/internal/controller/pulumi/program_controller_test.go

@@ -42,7 +42,7 @@ var _ = Describe("Program Controller", func() {
 	BeforeEach(func() {
 		ctx = context.Background()
 
-		advertisedAddress = "http://fake-svc.fake-namespace.svc.cluster.local"
+		advertisedAddress = "http://fake-svc.fake-namespace"
 
 		r = &ProgramReconciler{
 			Client:   k8sClient,