Merge branch 'feat/http-traffic-metering' into feat/envoy-logs

Author: JoseSzycho

.github/workflows/publish.yaml

@@ -23,6 +23,9 @@ jobs:
     secrets: inherit
 
   publish-kustomize-bundles:
+    # The bundle pins image references to this build, so only publish it once
+    # the container image has been built and pushed.
+    needs: publish-container-image
     permissions:
       id-token: write
       contents: read

Taskfile.yaml

@@ -1,6 +1,10 @@
 version: '3'
 
 includes:
+  # Documentation tasks
+  docs:
+    taskfile: ./docs/Taskfile.yaml
+    dir: ./docs
   dev:
     taskfile: ./Taskfile.dev.yaml
 
@@ -77,4 +81,9 @@ tasks:
             echo ""
             echo "🎉 All Prometheus rule tests passed."
           fi
-      silent: false
+      silent: false
+
+  generate:
+    desc: Run code generation (deepcopy, defaults)
+    deps:
+      - task: docs:generate

api/v1alpha1/groupversion_info.go

@@ -22,6 +22,22 @@ var (
 	AddToScheme = SchemeBuilder.AddToScheme
 )
 
+// UpstreamStatusAnnotation carries a verbatim copy of a resource's upstream
+// .status subresource down to edge member clusters.
+//
+// A resource's status is computed authoritatively in the Project control plane.
+// Karmada propagates a resource template's spec and metadata
+// (labels/annotations) to member clusters but NOT the status subresource, so a
+// member-cluster object never carries its upstream status. For resource types
+// whose downstream consumer needs that status (e.g. the edge extension server
+// reading Connector liveness), the replicator mirrors the full upstream status
+// JSON into this annotation — which Karmada DOES propagate — and the consumer
+// parses it back, falling back to the live status when the annotation is absent.
+//
+// The value is the resource's .status object marshalled to JSON verbatim; it is
+// resource-agnostic and carries no bespoke schema.
+const UpstreamStatusAnnotation = "networking.datumapis.com/upstream-status"
+
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(GroupVersion,
 		&Connector{},

config/extension-server/deployment.yaml

@@ -37,6 +37,7 @@ spec:
         - maxSkew: 1
           topologyKey: kubernetes.io/hostname
           whenUnsatisfiable: DoNotSchedule
+          nodeTaintsPolicy: Honor
           labelSelector:
             matchLabels:
               app.kubernetes.io/component: envoy-gateway-extension-server
@@ -123,6 +124,13 @@ spec:
             - name: tls-ca
               mountPath: /tls-ca
               readOnly: true
+            # Branded data-plane error pages. Backed by an OPTIONAL ConfigMap so
+            # the pod starts even when the ConfigMap is absent — the extension
+            # server then serves the page compiled into the operator image.
+            # The operator config's gateway.errorPage.bodyPath points here.
+            - name: error-pages
+              mountPath: /etc/datum/error-pages
+              readOnly: true
       terminationGracePeriodSeconds: 20
       volumes:
         # issuer-name and dns-names are placeholders — an overlay must patch them.
@@ -144,3 +152,14 @@ spec:
             items:
               - key: ca.crt
                 path: ca.crt
+        # Optional branded error-page content. The ConfigMap is created in the
+        # infrastructure (GitOps) repo and carries the key error-5xx.html. With
+        # optional: true the pod starts cleanly when it is absent, in which case
+        # the extension server serves the embedded default page.
+        - name: error-pages
+          configMap:
+            name: envoy-error-pages
+            optional: true
+            items:
+              - key: error-5xx.html
+                path: error-5xx.html

config/manager/config.yaml

@@ -13,3 +13,18 @@ gateway:
   #
   # Default: false. Set to true in environments where dns-operator is deployed.
   enableDNSIntegration: false
+  # errorPage configures the branded data-plane error page served by the
+  # extension server for edge-generated 5xx responses on the downstream /
+  # Connector data plane (e.g. an offline Connector tunnel). When enabled, the
+  # extension server attaches an Envoy local_reply_config to every customer-
+  # facing HCM so visitors see a branded "temporarily unavailable" page instead
+  # of a raw body like "no healthy upstream".
+  #
+  # bodyPath points at the optional ConfigMap mount (volume "error-pages" in
+  # config/extension-server/deployment.yaml). When the file is absent or empty,
+  # the page compiled into the operator image is used as the fallback — content
+  # problems never block xDS or fail startup.
+  errorPage:
+    enabled: true
+    bodyPath: /etc/datum/error-pages/error-5xx.html
+    minStatusCode: 500

config/resource-metrics-policies/networking-metrics.yaml

@@ -74,6 +74,30 @@ spec:
                 - name: status
                   value: "item.status"
 
+    - name: network-status-condition-last-transition-time
+      resource:
+        group: networking.datumapis.com
+        version: v1alpha
+        resource: networks
+      families:
+        - name: datum_cloud_network_status_condition_last_transition_time
+          help: "last transition time for status conditions"
+          type: gauge
+          metrics:
+            - forEach: "has(object.status) && has(object.status.conditions) ? object.status.conditions : []"
+              value: "double(timestamp(item.lastTransitionTime).getSeconds())"
+              labels:
+                - name: name
+                  value: "object.metadata.name"
+                - name: namespace
+                  value: "object.metadata.namespace"
+                - name: condition
+                  value: "item.type"
+                - name: reason
+                  value: "item.reason"
+                - name: status
+                  value: "item.status"
+
     # -------------------------------------------------------------------------
     # NetworkBinding
     # -------------------------------------------------------------------------
@@ -378,6 +402,34 @@ spec:
                 - name: status
                   value: "item.status"
 
+    - name: subnet-status-condition-last-transition-time
+      resource:
+        group: networking.datumapis.com
+        version: v1alpha
+        resource: subnets
+      families:
+        - name: datum_cloud_subnet_status_condition_last_transition_time
+          help: "last transition time for status conditions"
+          type: gauge
+          metrics:
+            - forEach: "has(object.status) && has(object.status.conditions) ? object.status.conditions : []"
+              value: "double(timestamp(item.lastTransitionTime).getSeconds())"
+              labels:
+                - name: name
+                  value: "object.metadata.name"
+                - name: namespace
+                  value: "object.metadata.namespace"
+                - name: network_name
+                  value: "object.spec.network.name"
+                - name: network_namespace
+                  value: "object.spec.network.namespace"
+                - name: condition
+                  value: "item.type"
+                - name: reason
+                  value: "item.reason"
+                - name: status
+                  value: "item.status"
+
     # -------------------------------------------------------------------------
     # SubnetClaim
     # -------------------------------------------------------------------------
@@ -472,6 +524,34 @@ spec:
                 - name: status
                   value: "item.status"
 
+    - name: subnet-claim-status-condition-last-transition-time
+      resource:
+        group: networking.datumapis.com
+        version: v1alpha
+        resource: subnetclaims
+      families:
+        - name: datum_cloud_subnet_claim_status_condition_last_transition_time
+          help: "last transition time for status conditions"
+          type: gauge
+          metrics:
+            - forEach: "has(object.status) && has(object.status.conditions) ? object.status.conditions : []"
+              value: "double(timestamp(item.lastTransitionTime).getSeconds())"
+              labels:
+                - name: name
+                  value: "object.metadata.name"
+                - name: namespace
+                  value: "object.metadata.namespace"
+                - name: network_name
+                  value: "object.spec.network.name"
+                - name: network_namespace
+                  value: "object.spec.network.namespace"
+                - name: condition
+                  value: "item.type"
+                - name: reason
+                  value: "item.reason"
+                - name: status
+                  value: "item.status"
+
     # -------------------------------------------------------------------------
     # Location
     # -------------------------------------------------------------------------
@@ -799,6 +879,30 @@ spec:
                 - name: status
                   value: "item.status"
 
+    - name: http-proxy-status-condition-last-transition-time
+      resource:
+        group: networking.datumapis.com
+        version: v1alpha
+        resource: httpproxies
+      families:
+        - name: datum_cloud_networking_http_proxy_status_condition_last_transition_time
+          help: "last transition time for status conditions"
+          type: gauge
+          metrics:
+            - forEach: "has(object.status) && has(object.status.conditions) ? object.status.conditions : []"
+              value: "double(timestamp(item.lastTransitionTime).getSeconds())"
+              labels:
+                - name: name
+                  value: "object.metadata.name"
+                - name: namespace
+                  value: "object.metadata.namespace"
+                - name: condition
+                  value: "item.type"
+                - name: reason
+                  value: "item.reason"
+                - name: status
+                  value: "item.status"
+
     - name: http-proxy-custom-hostname
       resource:
         group: networking.datumapis.com

docs/Taskfile.yaml

@@ -0,0 +1,69 @@
+version: '3'
+
+vars:
+  DIAGRAMS_DIR: "{{.ROOT_DIR}}/docs/diagrams"
+  OUTPUT_FORMAT: "png"
+  PLANTUML_IMAGE: plantuml/plantuml:1.2026.4
+
+tasks:
+  generate:
+    desc: Generate all documentation artifacts (diagrams, etc.)
+    cmds:
+      - task: diagrams:render
+    silent: true
+
+  diagrams:
+    desc: Generate all architecture diagrams from PlantUML
+    cmds:
+      - task: diagrams:render
+    silent: true
+
+  diagrams:render:
+    desc: Render PlantUML diagrams to PNG format using Docker
+    cmds:
+      - |
+        set -e
+        echo "Rendering PlantUML diagrams..."
+        echo ""
+
+        # Check if PlantUML files exist
+        if ! ls {{.DIAGRAMS_DIR}}/*.puml >/dev/null 2>&1; then
+          echo "❌ Error: PlantUML source files (*.puml) not found in {{.DIAGRAMS_DIR}}"
+          exit 1
+        fi
+
+        # Render using Docker (no local installation required)
+        docker run --rm \
+          -v "{{.DIAGRAMS_DIR}}":/data \
+          {{.PLANTUML_IMAGE}} \
+          -t{{.OUTPUT_FORMAT}} \
+          /data/*.puml
+
+        echo ""
+        echo "✅ Diagrams rendered in {{.DIAGRAMS_DIR}}"
+        echo ""
+        echo "Generated files:"
+        ls -1 {{.DIAGRAMS_DIR}}/*.{{.OUTPUT_FORMAT}} 2>/dev/null | xargs -n1 basename || echo "No output files found"
+    silent: true
+
+  diagrams:clean:
+    desc: Remove generated diagram files
+    cmds:
+      - |
+        rm -f {{.DIAGRAMS_DIR}}/*.png {{.DIAGRAMS_DIR}}/*.svg
+        echo "✅ Generated diagram files removed"
+    silent: true
+
+  diagrams:validate:
+    desc: Validate PlantUML syntax using Docker
+    cmds:
+      - |
+        set -e
+        echo "Validating PlantUML diagrams..."
+        docker run --rm \
+          -v "{{.DIAGRAMS_DIR}}":/data \
+          {{.PLANTUML_IMAGE}} \
+          -syntax \
+          /data/*.puml
+        echo "✅ All diagrams are valid"
+    silent: true

docs/diagrams/http-metering-c4.png

@@ -0,0 +1,25 @@
+@startuml http-metering-c4
+!include https://raw.githubusercontent.com/plantuml-stdlib/C4-PlantUML/master/C4_Container.puml
+
+LAYOUT_WITH_LEGEND()
+
+title C4 Container Diagram - HTTP Traffic Metering System
+
+Person(client, "End User / Client", "Requests services exposed via Datum Cloud Edge")
+
+System_Boundary(edge_cluster, "Edge Cluster") {
+    Container(envoy, "Envoy Gateway Proxy", "Envoy/Go", "Handles ingress HTTP traffic, terminates TLS, enforces WAF/rate-limiting, emits JSON access logs to stdout")
+    Container(vector_collector, "billing-usage-collector-vector", "Vector DaemonSet (Billing)", "Tails Envoy container logs, parses JSON access logs, translates to CloudEvents, and forwards them to the Billing System")
+    Container(nso, "Network Services Operator", "Go", "Deploys Envoy Gateway and configures EnvoyProxy logging policies")
+}
+
+System_Boundary(control_plane, "Platform Control Plane") {
+    Container(billing_system, "Billing System & Service Catalog", "Platform Service", "Handles service registration, event validation, attribution, and storage")
+}
+
+Rel(client, envoy, "Sends HTTPS requests to", "HTTPS")
+Rel(nso, envoy, "Configures & manages", "Kubernetes API / EnvoyProxy CR")
+Rel_D(envoy, vector_collector, "Outputs JSON access logs to", "stdout / container logs")
+Rel_D(vector_collector, billing_system, "Forwards batched events to", "HTTPS CloudEvents")
+
+@enduml