Upgrade Kubernetes clients and related dependencies in kubernetes-overlord-extensions and druid-kubernetes-extensions (#19071)

* fabric8 bump checkpoint

* expose webclientoptions in configuration and override additionalconfig for vertx

* document new power

* Remove unnecessary complication of the druid vertx factory wrapper

* use junit5

* bump okhttp to try and fix a dependency enforcer

* update licenses.yaml

* nit spacing

* min dep enforcer requires bump of kotlin-stdlib

* tinkering with licenses yaml

* Bump kubernetes-extensions k8s dep so we can align on okhttp

also get a bunch of other licenses in line

* cleanup object mapper for k8s-ol-ext

* minor dep updates + exclude protobuf from druid-kubernetes-extensions

* Keep working on getting these dependencies to play nicely together

* Update aws sdk in licenses

* fix kubernetes-extensions pom

* Working on static checks still

* k8s overlord ext pom

Author: capistrant

docs/development/extensions-core/k8s-jobs.md

@@ -911,6 +911,35 @@ was [okhttp](https://github.com/fabric8io/kubernetes-client/tree/main/httpclient
 |`druid.indexer.runner.k8sAndWorker.http.vertx.eventLoopPoolSize`|`Integer`|...|`2 * number cores`|No|
 |`druid.indexer.runner.k8sAndWorker.http.vertx.internalBlockingPoolSize`|`Integer`|...|20|No|
 
+##### `WebClientOptions` pass-through
+
+The vert.x HTTP client also supports a generic pass-through for any property on the underlying Vert.x [`WebClientOptions`](https://vertx.io/docs/apidocs/io/vertx/ext/web/client/WebClientOptions.html) object (which extends [`HttpClientOptions`](https://vertx.io/docs/apidocs/io/vertx/core/http/HttpClientOptions.html)). This gives operators full control over connection pool behavior, timeouts, and other low-level HTTP client settings without requiring new Druid configuration fields.
+
+Set properties using the prefix `druid.indexer.runner.k8sAndWorker.http.vertx.webClientOptions.<propertyName>`, where `<propertyName>` matches the corresponding setter on `WebClientOptions` (e.g., `setMaxPoolSize` maps to `maxPoolSize`).
+
+**Tuning connection keep-alive timeouts**
+
+This pass-through is particularly useful for environments where an intermediate network component (such as an AWS ALB, or service mesh sidecar) closes idle connections before the client expects it. When this happens, the client may attempt to reuse a connection that the server has already closed, resulting in unexpected connection errors.
+
+To mitigate this, set the client-side keep-alive and idle timeouts to a value **lower** than the shortest server-side timeout in your network path. For example, if your AWS ALB has a 60 second idle timeout (the default), setting the client to 30 seconds ensures the client retires idle connections well before the server does:
+
+```properties
+druid.indexer.runner.k8sAndWorker.http.vertx.webClientOptions.keepAliveTimeout=30
+druid.indexer.runner.k8sAndWorker.http.vertx.webClientOptions.idleTimeout=30
+```
+
+**Commonly useful properties**
+
+|Property|Type|Description|Default|
+|--------|----|-----------|-------|
+|`keepAliveTimeout`|`Integer`|Seconds an idle HTTP keep-alive connection is retained before the client closes it.|`60`|
+|`idleTimeout`|`Integer`|Seconds a connection can remain idle before being closed. Acts as a general safety net alongside `keepAliveTimeout`.|`0` (disabled)|
+|`maxPoolSize`|`Integer`|Maximum number of connections in the pool per endpoint.|`5`|
+|`connectTimeout`|`Integer`|Milliseconds to wait when establishing a new connection.|`60000`|
+|`poolCleanerPeriod`|`Integer`|Milliseconds between pool sweeps that evict connections exceeding the above timeouts.|`1000`|
+
+Any property with a public setter on `WebClientOptions` or its parent classes (`HttpClientOptions`, `ClientOptionsBase`, `TCPSSLOptions`, `NetworkOptions`) can be set through this mechanism.
+
 #### OkHttp Client
 
 |Property| Possible Values |Description| Default |required|

embedded-tests/pom.xml

@@ -572,7 +572,6 @@
     <dependency>
       <groupId>io.kubernetes</groupId>
       <artifactId>client-java-api</artifactId>
-      <version>19.0.0</version>
       <scope>test</scope>
     </dependency>
     <dependency>

extensions-core/kubernetes-extensions/pom.xml

@@ -34,23 +34,6 @@
     <relativePath>../../pom.xml</relativePath>
   </parent>
 
-  <properties>
-    <kubernetes.client.version>19.0.0</kubernetes.client.version>
-  </properties>
-
-
-  <dependencyManagement>
-    <dependencies>
-      <!-- This is an indirect dependency of io.kubernetes.client-java
-      update to address vulnerability in transitive dependency okio used by okhttp -->
-      <dependency>
-          <groupId>com.squareup.okhttp3</groupId>
-          <artifactId>okhttp</artifactId>
-          <version>4.12.0</version>
-      </dependency>
-    </dependencies>
-  </dependencyManagement>
-
   <dependencies>
     <dependency>
       <groupId>org.apache.druid</groupId>
@@ -68,17 +51,53 @@
     <dependency>
       <groupId>io.kubernetes</groupId>
       <artifactId>client-java</artifactId>
-      <version>${kubernetes.client.version}</version>
+      <exclusions>
+        <!-- client-java-proto brings in protobuf-java 4.x which Druid does not yet support project-wide.
+             The Kubernetes API supports multiple wire formats (JSON, YAML, Protobuf, etc.) but this extension
+             is not currently using the proto client so exclusion is safe -->
+        <exclusion>
+          <groupId>io.kubernetes</groupId>
+          <artifactId>client-java-proto</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>com.google.protobuf</groupId>
+          <artifactId>protobuf-java</artifactId>
+        </exclusion>
+        <!-- Azure AD auth library and its transitive OIDC/JWT stack — only needed for AKS token-based
+             authentication which this extension does not use -->
+        <exclusion>
+          <groupId>com.microsoft.azure</groupId>
+          <artifactId>adal4j</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>io.kubernetes</groupId>
       <artifactId>client-java-extended</artifactId>
-      <version>${kubernetes.client.version}</version>
+      <exclusions>
+        <!-- client-java-proto brings in protobuf-java 4.x which Druid does not yet support project-wide.
+             The Kubernetes API supports multiple wire formats (JSON, YAML, Protobuf, etc.) but this extension
+             is not currently using the proto client so exclusion is safe -->
+        <exclusion>
+          <groupId>io.kubernetes</groupId>
+          <artifactId>client-java-proto</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>io.kubernetes</groupId>
       <artifactId>client-java-api</artifactId>
-      <version>${kubernetes.client.version}</version>
+      <exclusions>
+        <!-- jakarta.ws.rs-api 4.0 conflicts with the javax.ws.rs 1.x used elsewhere in Druid -->
+        <exclusion>
+          <groupId>jakarta.ws.rs</groupId>
+          <artifactId>jakarta.ws.rs-api</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>com.squareup.okhttp3</groupId>
+      <artifactId>okhttp-jvm</artifactId>
     </dependency>
 
     <!-- Tests -->
@@ -140,7 +159,7 @@
               <artifactId>maven-dependency-plugin</artifactId>
               <configuration>
               <!-- analyze incorrectly flags this dependency as missing when omitted, and unused when declared -->
-                <ignoredDependencies>io.kubernetes:client-java-api-fluent:jar:19.0.0</ignoredDependencies>
+                <ignoredDependencies>io.kubernetes:client-java-api-fluent:jar:${kubernetes.client.version}</ignoredDependencies>
               </configuration>
           </plugin>
         </plugins>

extensions-core/kubernetes-extensions/src/main/java/org/apache/druid/k8s/discovery/DefaultK8sApiClient.java

@@ -30,6 +30,7 @@
 import io.kubernetes.client.openapi.apis.CoreV1Api;
 import io.kubernetes.client.openapi.models.V1Pod;
 import io.kubernetes.client.openapi.models.V1PodList;
+import io.kubernetes.client.util.PatchUtils;
 import io.kubernetes.client.util.Watch;
 import org.apache.druid.discovery.DiscoveryDruidNode;
 import org.apache.druid.discovery.NodeRole;
@@ -65,7 +66,22 @@ public DefaultK8sApiClient(ApiClient realK8sClient, @Json ObjectMapper jsonMappe
   public void patchPod(String podName, String podNamespace, String jsonPatchStr)
   {
     try {
-      coreV1Api.patchNamespacedPod(podName, podNamespace, new V1Patch(jsonPatchStr), "true", null, null, null, null);
+      PatchUtils.patch(
+          V1Pod.class,
+          () -> coreV1Api.patchNamespacedPodCall(
+              podName,
+              podNamespace,
+              new V1Patch(jsonPatchStr),
+              "true",
+              null,
+              null,
+              null,
+              null,
+              null
+          ),
+          V1Patch.PATCH_FORMAT_JSON_PATCH,
+          realK8sClient
+      );
     }
     catch (ApiException ex) {
       throw new RE(ex, "Failed to patch pod[%s/%s], code[%d], error[%s].", podNamespace, podName, ex.getCode(), ex.getResponseBody());
@@ -80,7 +96,20 @@ public DiscoveryDruidNodeList listPods(
   )
   {
     try {
-      V1PodList podList = coreV1Api.listNamespacedPod(podNamespace, null, null, null, null, labelSelector, 0, null, null, null, null, null);
+      V1PodList podList = coreV1Api.listNamespacedPod(
+          podNamespace,
+          null,
+          null,
+          null,
+          null,
+          labelSelector,
+          null,
+          null,
+          null,
+          null,
+          null,
+          null
+      );
       Preconditions.checkState(podList != null, "WTH: NULL podList");
 
       Map<String, DiscoveryDruidNode> allNodes = new HashMap();
@@ -113,8 +142,20 @@ public WatchResult watchPods(String namespace, String labelSelector, String last
       Watch<V1Pod> watch =
           Watch.createWatch(
               realK8sClient,
-              coreV1Api.listNamespacedPodCall(namespace, null, true, null, null,
-                                              labelSelector, null, lastKnownResourceVersion, null, null, 0, true, null
+              coreV1Api.listNamespacedPodCall(
+                  namespace,
+                  null,
+                  true,
+                  null,
+                  null,
+                  labelSelector,
+                  null,
+                  lastKnownResourceVersion,
+                  null,
+                  null,
+                  null,
+                  true,
+                  null
               ),
               new TypeReference<Watch.Response<V1Pod>>()
               {

extensions-core/kubernetes-overlord-extensions/pom.xml

@@ -34,6 +34,9 @@
     <relativePath>../../pom.xml</relativePath>
   </parent>
 
+  <properties>
+    <vertx.version>4.5.24</vertx.version>
+  </properties>
 
   <dependencies>
     <dependency>
@@ -138,13 +141,17 @@
     </dependency>
     <dependency>
       <groupId>com.squareup.okhttp3</groupId>
-      <artifactId>okhttp</artifactId>
-      <version>4.12.0</version>
+      <artifactId>okhttp-jvm</artifactId>
     </dependency>
     <dependency>
       <groupId>io.vertx</groupId>
       <artifactId>vertx-core</artifactId>
-      <version>4.5.24</version>
+      <version>${vertx.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>io.vertx</groupId>
+      <artifactId>vertx-web-client</artifactId>
+      <version>${vertx.version}</version>
     </dependency>
     <dependency>
       <groupId>javax.ws.rs</groupId>

extensions-core/kubernetes-overlord-extensions/src/main/java/org/apache/druid/k8s/overlord/KubernetesOverlordModule.java

@@ -39,6 +39,7 @@
 import org.apache.druid.guice.JsonConfigurator;
 import org.apache.druid.guice.LazySingleton;
 import org.apache.druid.guice.PolyBind;
+import org.apache.druid.guice.annotations.Json;
 import org.apache.druid.guice.annotations.LoadScope;
 import org.apache.druid.guice.annotations.Self;
 import org.apache.druid.guice.annotations.Smile;
@@ -386,17 +387,19 @@ public RunnerStrategy get()
   private static class VertxHttpClientFactoryProvider implements Provider<DruidKubernetesHttpClientFactory>
   {
     private DruidKubernetesVertxHttpClientConfig config;
+    private ObjectMapper jsonMapper;
 
     @Inject
-    public void inject(DruidKubernetesVertxHttpClientConfig config)
+    public void inject(DruidKubernetesVertxHttpClientConfig config, @Json ObjectMapper jsonMapper)
     {
-      this.config = config;  // Guice injects the Vertx-specific config
+      this.config = config;
+      this.jsonMapper = jsonMapper;
     }
 
     @Override
     public DruidKubernetesHttpClientFactory get()
     {
-      return new DruidKubernetesVertxHttpClientFactory(config);
+      return new DruidKubernetesVertxHttpClientFactory(config, jsonMapper);
     }
   }
 

extensions-core/kubernetes-overlord-extensions/src/main/java/org/apache/druid/k8s/overlord/common/httpclient/vertx/DruidKubernetesVertxHttpClientConfig.java

@@ -22,6 +22,9 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.vertx.core.VertxOptions;
 
+import java.util.Collections;
+import java.util.Map;
+
 public class DruidKubernetesVertxHttpClientConfig
 {
   @JsonProperty
@@ -33,6 +36,9 @@ public class DruidKubernetesVertxHttpClientConfig
   @JsonProperty
   private int internalBlockingPoolSize = VertxOptions.DEFAULT_INTERNAL_BLOCKING_POOL_SIZE;
 
+  @JsonProperty
+  private Map<String, Object> webClientOptions = Collections.emptyMap();
+
   public int getWorkerPoolSize()
   {
     return workerPoolSize;
@@ -47,4 +53,9 @@ public int getInternalBlockingPoolSize()
   {
     return internalBlockingPoolSize;
   }
+
+  public Map<String, Object> getWebClientOptions()
+  {
+    return webClientOptions;
+  }
 }

extensions-core/kubernetes-overlord-extensions/src/main/java/org/apache/druid/k8s/overlord/common/httpclient/vertx/DruidKubernetesVertxHttpClientFactory.java

@@ -19,31 +19,55 @@
 
 package org.apache.druid.k8s.overlord.common.httpclient.vertx;
 
-import io.fabric8.kubernetes.client.vertx.VertxHttpClientBuilder;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import io.fabric8.kubernetes.client.vertx.VertxHttpClientFactory;
 import io.vertx.core.Vertx;
 import io.vertx.core.VertxOptions;
 import io.vertx.core.file.FileSystemOptions;
 import io.vertx.core.spi.resolver.ResolverProvider;
+import io.vertx.ext.web.client.WebClientOptions;
+import org.apache.druid.java.util.common.logger.Logger;
 import org.apache.druid.k8s.overlord.common.httpclient.DruidKubernetesHttpClientFactory;
 
 /**
  * Similar to {@link VertxHttpClientFactory} but allows us to override thread pool configurations.
  */
-public class DruidKubernetesVertxHttpClientFactory implements DruidKubernetesHttpClientFactory
+public class DruidKubernetesVertxHttpClientFactory extends VertxHttpClientFactory implements DruidKubernetesHttpClientFactory
 {
   public static final String TYPE_NAME = "vertx";
-  private final Vertx vertx;
 
-  public DruidKubernetesVertxHttpClientFactory(final DruidKubernetesVertxHttpClientConfig httpClientConfig)
+  private static final Logger LOG = new Logger(DruidKubernetesVertxHttpClientFactory.class);
+
+  private final DruidKubernetesVertxHttpClientConfig httpClientConfig;
+  private final ObjectMapper objectMapper;
+
+  public DruidKubernetesVertxHttpClientFactory(
+      DruidKubernetesVertxHttpClientConfig httpClientConfig,
+      ObjectMapper objectMapper
+  )
   {
-    this.vertx = createVertxInstance(httpClientConfig);
+    super(createVertxInstance(httpClientConfig));
+    this.httpClientConfig = httpClientConfig;
+    this.objectMapper = objectMapper;
   }
 
   @Override
-  public VertxHttpClientBuilder<DruidKubernetesVertxHttpClientFactory> newBuilder()
+  protected void additionalConfig(WebClientOptions options)
   {
-    return new VertxHttpClientBuilder<>(this, vertx);
+    if (!httpClientConfig.getWebClientOptions().isEmpty()) {
+      try {
+        LOG.info("Applying additional WebClientOptions from configuration: %s", httpClientConfig.getWebClientOptions());
+        objectMapper.updateValue(options, httpClientConfig.getWebClientOptions());
+      }
+      catch (Exception e) {
+        throw new RuntimeException(
+            "Failed to apply webClientOptions to WebClientOptions. "
+            + "Check that all property names and values are valid. "
+            + "Properties provided: " + httpClientConfig.getWebClientOptions(),
+            e
+        );
+      }
+    }
   }
 
   /**

extensions-core/kubernetes-overlord-extensions/src/test/java/org/apache/druid/k8s/overlord/KubernetesTaskRunnerFactoryTest.java

@@ -67,7 +67,7 @@ public void setup()
     Config config = new ConfigBuilder().build();
 
     druidKubernetesClient =
-        new DruidKubernetesClient(new DruidKubernetesVertxHttpClientFactory(new DruidKubernetesVertxHttpClientConfig()), config);
+        new DruidKubernetesClient(new DruidKubernetesVertxHttpClientFactory(new DruidKubernetesVertxHttpClientConfig(), new ObjectMapper()), config);
     druidKubernetesCachingClient = null;
     taskAdapter = new TestTaskAdapter();
     kubernetesTaskRunnerConfig = new KubernetesTaskRunnerEffectiveConfig(kubernetesTaskRunnerStaticConfig, () -> null);