fix: restore dead ports on multi-port service reconnect (#509)

[cjimti]

Fixes #509.

Problem

A multi-port normal service could enter an unrecoverable zombie state after one of its ports had its connection reset (e.g. the TCP RST behavior of kubernetes/kubernetes#111825, which kills a single port's kubelet listener). Auto-reconnect (-a, on by default in --tui) would fire, re-run SyncPodForwards, find the pod — and then do nothing: the dead port was never re-established and the service's /etc/hosts entries were never restored. Only a full kubefwd restart recovered the service.

Root cause

The defect is in syncNormalService (pkg/fwdservice/fwdservice.go). A normal service forwards a single pod, but each of its ports is a separate entry in PortForwards (key: service.podname.localport). The sync logic tracked a single forward key to keep (keyToKeep) and skipped LoopPodsToForward entirely whenever any forward for the pod still existed. So when one port survived, the dead port's slot was skipped forever.

This was introduced by 64ee12c: before it, the keep-comparison compared a map key against pod.Name (never equal), so keyToKeep stayed empty and every resync rebuilt all ports — inefficient but correct for multi-port. After 64ee12c the comparison started matching, which also meant healthy multi-port services would lose all-but-one port on the routine 5-minute resync, not just after an RST.

Fix

Reason in terms of the pod name to keep instead of a single forward key:

• keep all forwards belonging to the chosen pod,
• remove forwards belonging to any other pod,
• always re-invoke LoopPodsToForward for the kept pod.

LoopPodsToForward already skips ports that are already forwarded, so this is a no-op for a healthy pod and re-establishes any independently-torn-down port (re-adding its /etc/hosts entries) otherwise. Headless services were already unaffected (they always loop all pods).

Tests

• TestSyncPodForwards_MultiPort_RestoresDeadPort — reproduces Auto-reconnect leaves multi-port services in unrecoverable zombie state after TCP RST #509 (verified to fail on the old code with the exact reported symptom: currentForwards=1, port never restored) and passes with the fix.
• TestSyncPodForwards_MultiPort_HealthyResyncKeepsAllPorts — guards against the broader resync-drops-ports regression.

Full suite + -race + lint + build all pass.

Note

This branch also contains a small build commit (build: write verify sentinel...) that wires a missing local pre-commit-gate sentinel into make verify. It is unrelated to the bug fix; happy to drop it if you'd prefer the PR contain only the fix.

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 81.18%. Comparing base (1f6aa95) to head (e775923).

Files with missing lines	Patch %	Lines
pkg/fwdservice/fwdservice.go	90.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #510      +/-   ##
==========================================
+ Coverage   81.07%   81.18%   +0.10%     
==========================================
  Files          71       71              
  Lines       12843    12848       +5     
==========================================
+ Hits        10413    10431      +18     
+ Misses       2018     2009       -9     
+ Partials      412      408       -4     

Files with missing lines	Coverage Δ
pkg/fwdservice/fwdservice.go	81.57% <90.00%> (+3.17%)	⬆️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.