feat(deployer): enable zero downtime rollout, graceful shutdown by default (#12242)

Signed-off-by: David Haifley <[email protected]>

Author: dhaifley

.github/workflows/pr-kubernetes-tests.yaml

@@ -58,7 +58,7 @@ jobs:
         # August 29, 2025: ~9 minutes
         - cluster-name: 'cluster-six'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestInferenceExtension$$|^TestListenerSet$$|^TestKgateway$$/^TCPRouteServices$$|^TestKgatewayIstioAutoMtls$$'
+          go-test-run-regex: '^TestInferenceExtension$$|^TestListenerSet$$|^TestKgateway$$/^TCPRouteServices$$|^TestKgatewayIstioAutoMtls$$|^TestZeroDowntimeRollout$$'
           localstack: 'false'
         # August 29, 2025: ~7 minutes
         - cluster-name: 'cluster-ai'

api/applyconfiguration/api/v1alpha1/pod.go

@@ -273,6 +273,14 @@ type Pod struct {
 	// +kubebuilder:validation:Maximum=31536000
 	TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty"`
 
+	// If specified, the pod's startup probe. A probe of container startup readiness.
+	// Container will be only be added to service endpoints if the probe succeeds. See
+	// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#probe-v1-core
+	// for details.
+	//
+	// +optional
+	StartupProbe *corev1.Probe `json:"startupProbe,omitempty"`
+
 	// If specified, the pod's readiness probe. Periodic probe of container service readiness.
 	// Container will be removed from service endpoints if the probe fails. See
 	// https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#probe-v1-core
@@ -353,6 +361,13 @@ func (in *Pod) GetTolerations() []corev1.Toleration {
 	return in.Tolerations
 }
 
+func (in *Pod) GetStartupProbe() *corev1.Probe {
+	if in == nil {
+		return nil
+	}
+	return in.StartupProbe
+}
+
 func (in *Pod) GetReadinessProbe() *corev1.Probe {
 	if in == nil {
 		return nil

api/applyconfiguration/internal/internal.go

@@ -3079,6 +3079,87 @@ spec:
                                 type: string
                             type: object
                         type: object
+                      startupProbe:
+                        properties:
+                          exec:
+                            properties:
+                              command:
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            type: object
+                          failureThreshold:
+                            format: int32
+                            type: integer
+                          grpc:
+                            properties:
+                              port:
+                                format: int32
+                                type: integer
+                              service:
+                                default: ""
+                                type: string
+                            required:
+                            - port
+                            type: object
+                          httpGet:
+                            properties:
+                              host:
+                                type: string
+                              httpHeaders:
+                                items:
+                                  properties:
+                                    name:
+                                      type: string
+                                    value:
+                                      type: string
+                                  required:
+                                  - name
+                                  - value
+                                  type: object
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              path:
+                                type: string
+                              port:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                x-kubernetes-int-or-string: true
+                              scheme:
+                                type: string
+                            required:
+                            - port
+                            type: object
+                          initialDelaySeconds:
+                            format: int32
+                            type: integer
+                          periodSeconds:
+                            format: int32
+                            type: integer
+                          successThreshold:
+                            format: int32
+                            type: integer
+                          tcpSocket:
+                            properties:
+                              host:
+                                type: string
+                              port:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                x-kubernetes-int-or-string: true
+                            required:
+                            - port
+                            type: object
+                          terminationGracePeriodSeconds:
+                            format: int64
+                            type: integer
+                          timeoutSeconds:
+                            format: int32
+                            type: integer
+                        type: object
                       terminationGracePeriodSeconds:
                         format: int64
                         maximum: 31536000

api/v1alpha1/kube_types.go

@@ -404,6 +404,7 @@ func (k *kGatewayParameters) getValues(gw *api.Gateway, gwParam *v1alpha1.Gatewa
 	gateway.NodeSelector = podConfig.GetNodeSelector()
 	gateway.Affinity = podConfig.GetAffinity()
 	gateway.Tolerations = podConfig.GetTolerations()
+	gateway.StartupProbe = podConfig.GetStartupProbe()
 	gateway.ReadinessProbe = podConfig.GetReadinessProbe()
 	gateway.LivenessProbe = podConfig.GetLivenessProbe()
 	gateway.GracefulShutdown = podConfig.GetGracefulShutdown()

api/v1alpha1/zz_generated.deepcopy.go

@@ -51,6 +51,27 @@ spec:
           securityContext:
             {{- toYaml $gateway.securityContext | nindent 12 }}
           {{- end }} {{/* if $gateway.securityContext */}}
+          {{- if $gateway.startupProbe }}
+          startupProbe:
+            {{- toYaml $gateway.startupProbe | nindent 12 }}
+          {{- end }}{{/* if $gateway.startupProbe */}}
+          {{- if $gateway.readinessProbe }}
+          readinessProbe:
+            {{- toYaml $gateway.readinessProbe | nindent 12 }}
+          {{- end }}{{/* if $gateway.readinessProbe */}}
+          {{- if $gateway.livenessProbe }}
+          livenessProbe:
+            {{- toYaml $gateway.livenessProbe | nindent 12 }}
+          {{- end }}{{/* if $gateway.livenessProbe */}}
+          {{- if ($gateway.gracefulShutdown).enabled }}
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /bin/sh
+                  - -c
+                  - wget --post-data "" -O /dev/null 127.0.0.1:15000/quitquitquit; sleep {{ $gateway.gracefulShutdown.sleepTimeSeconds | default "10" }}
+          {{- end}}{{/* if ($gateway.gracefulShutdown).enabled */}}
           {{- if $gateway.resources }}
           resources:
             {{- toYaml $gateway.resources | nindent 12 }}

install/helm/kgateway-crds/templates/gateway.kgateway.dev_gatewayparameters.yaml

@@ -101,6 +101,10 @@ spec:
         - name: http-monitoring
           containerPort: 9091
         {{- end }}
+{{- if $gateway.startupProbe }}
+        startupProbe:
+{{ toYaml $gateway.startupProbe | indent 10}}
+{{- end }}{{/*if $gateway.startupProbe*/}}
 {{- if $gateway.readinessProbe }}
         readinessProbe:
 {{ toYaml $gateway.readinessProbe | indent 10}}

internal/kgateway/deployer/gateway_parameters.go

@@ -32,8 +32,6 @@ import (
 	api "sigs.k8s.io/gateway-api/apis/v1"
 	apixv1a1 "sigs.k8s.io/gateway-api/apisx/v1alpha1"
 
-	"github.com/kgateway-dev/kgateway/v2/test/gomega/matchers"
-
 	"github.com/kgateway-dev/kgateway/v2/api/settings"
 	gw2_v1alpha1 "github.com/kgateway-dev/kgateway/v2/api/v1alpha1"
 	"github.com/kgateway-dev/kgateway/v2/internal/kgateway/controller"
@@ -48,6 +46,7 @@ import (
 	"github.com/kgateway-dev/kgateway/v2/pkg/pluginsdk/collections"
 	"github.com/kgateway-dev/kgateway/v2/pkg/pluginsdk/krtutil"
 	"github.com/kgateway-dev/kgateway/v2/pkg/schemes"
+	"github.com/kgateway-dev/kgateway/v2/test/gomega/matchers"
 
 	// TODO BML tests in this suite fail if this no-op import is not imported first.
 	//
@@ -1888,6 +1887,7 @@ var _ = Describe("Deployer", func() {
 				params := fullyDefinedGatewayParameters(wellknown.DefaultGatewayParametersName, defaultNamespace)
 				params.Spec.Kube.PodTemplate.LivenessProbe = generateLivenessProbe()
 				params.Spec.Kube.PodTemplate.ReadinessProbe = generateReadinessProbe()
+				params.Spec.Kube.PodTemplate.StartupProbe = generateStartupProbe()
 				params.Spec.Kube.PodTemplate.TerminationGracePeriodSeconds = ptr.To(int64(5))
 				params.Spec.Kube.PodTemplate.GracefulShutdown = &gw2_v1alpha1.GracefulShutdownSpec{
 					Enabled:          ptr.To(true),
@@ -2225,6 +2225,7 @@ var _ = Describe("Deployer", func() {
 			envoyContainer := dep.Spec.Template.Spec.Containers[0]
 			Expect(envoyContainer.LivenessProbe).To(BeEquivalentTo(generateLivenessProbe()))
 			Expect(envoyContainer.ReadinessProbe).To(BeEquivalentTo(generateReadinessProbe()))
+			Expect(envoyContainer.StartupProbe).To(BeEquivalentTo(generateStartupProbe()))
 			Expect(envoyContainer.Lifecycle.PreStop.Exec.Command).To(BeEquivalentTo([]string{
 				"/bin/sh",
 				"-c",
@@ -3271,20 +3272,32 @@ func generateLivenessProbe() *corev1.Probe {
 	}
 }
 
+func generateStartupProbe() *corev1.Probe {
+	return &corev1.Probe{
+		ProbeHandler: corev1.ProbeHandler{
+			HTTPGet: &corev1.HTTPGetAction{
+				Path: "/ready",
+				Port: intstr.FromInt(8082),
+			},
+		},
+		InitialDelaySeconds: 0,
+		PeriodSeconds:       1,
+		TimeoutSeconds:      2,
+		FailureThreshold:    60,
+		SuccessThreshold:    1,
+	}
+}
+
 func generateReadinessProbe() *corev1.Probe {
 	return &corev1.Probe{
 		ProbeHandler: corev1.ProbeHandler{
 			HTTPGet: &corev1.HTTPGetAction{
-				Scheme: "HTTP",
-				Port: intstr.IntOrString{
-					IntVal: 8082,
-				},
-				Path: "/envoy-hc",
+				Path: "/ready",
+				Port: intstr.FromInt(8082),
 			},
 		},
 		InitialDelaySeconds: 5,
-		PeriodSeconds:       5,
-		FailureThreshold:    2,
+		PeriodSeconds:       10,
 	}
 }