Fix k8s nat manager logic and add --Xnat-kube-service-namespace flag

[alex123012]

PR description

Now the Kubernetes nat manager requires cluster-wide permissions (list service resources in all namespaces). Also, it has a bug: when multiple besu networks are configured in the same cluster with the same service names in different namespaces, the nat manager may set an inappropriate IP address for the besu node due to enumerating services from all namespaces and checking only their names.

I suggest adding a new flag: --Xnat-kube-service-namespace to specify a concrete besu node service namespace and not use a list of services, but a get request for a specific service.

Fixed Issue(s)

fixes #5002

[github-actions]

• I thought about documentation and added the doc-change-required label to this PR if updates are required.
• I thought about the changelog and included a changelog update if required.
• If my PR includes database changes (e.g. KeyValueSegmentIdentifier) I have thought about compatibility and performed forwards and backwards compatibility tests

[macfarla]

minor suggestions on help messages

[macfarla]

@alex123012 there's a couple of unit tests failing. you should be able to reproduce locally

Task :besu:test

BesuCommandTest > natManagerServiceNameCannotBeUsedWithNatDockerMethod FAILED
java.lang.AssertionError at BesuCommandTest.java:1971

BesuCommandTest > natManagerServiceNameCannotBeUsedWithNatNoneMethod FAILED
java.lang.AssertionError at BesuCommandTest.java:1981

[macfarla]

code looks ok - @alex123012 how would I verify that it's working? new to kubernetes

[alex123012]

So, you could try to use kind/minikube with https://github.com/Consensys/quorum-kubernetes repo with changed image. I've tested it with ibft2.

Something like a plan:

• Install minikube and kubectl.
• Build the besu image and load it to the minikube cluster (for example, with cache or other option in docs).
• Change images of besu in k8s manifests to image you've build (for example, here and you'll need to change it in all other files in this dir like in the example).
• Namespace in code is setted to besu by default, so you can omit the new flag, by you can explicitly set it here and in all other files in this dir.
• Go through quorum-kubernetes docs (minikube cluster is created in it).
• If all is good - check besu logs and find entries about K8S manager - it should have no errors

Note: for more restricted rules, to check, that all is ok - delete "list" verb from Role manifest and in other files in this dir do the same.

If you encounter any problems, you can write to me in telegram or email (makhonin.a.ru@gmail.com)

[alex123012]

@macfarla Wrote a few notes^

[alex123012]

@macfarla Hi!
Any updates here?:)

[garyschulte]

👍 , but we should make namespace optional in order to be backward compatible with prior behavior.

[garyschulte]

I think service namespace should be an Optional parameter to the manager. Not having to explicitly specify the namespace is a useful feature IMO, and can prevent breaking existing clustered implementations.

The presence or absence of the namespace can gate the behavior of finding first vs explicitly specify the target namespace

[garyschulte]

@alex123012 any word on this?

[macfarla]

@cdivitotawela any input on this PR?

[cdivitotawela]

@cdivitotawela any input on this PR?

Let me check whether I can run this on minikube and verify,

[lancemarks]

Testing successful with Kubernetes in AWS with v24.5.2 of Besu. There was one issue I ran into, I had to name the port 'discovery' or it would throw an error. I would have liked to been able to name it 'discovery-tcp' or 'p2p-tcp'.

[matthew1001]

Just wondering after talking to some others about K8S behaviour. Does the namespace need manually specifying via a config option, or can the K8S namespace of the Besu pod just be queried and used in discovering the service endpoint? A K8S service can't serve a pod in a different namespace anyway, so it's not clear if there's a reason to add the new --Xnat-kube-service-namespace instead of auto-discovering the pod's namespace.