Fix persistent container endpoint allocation (#17960)

* Fix persistent container endpoint allocation

Default persistent container endpoints to proxied unless proxy support is disabled, and remove delayed proxyless container endpoint allocation in favor of target-port public port defaults. Preserve endpoint and connection string event timing from release/13.3 and add coverage for the KeyVault emulator-style health check path.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Restore health check URI binding timing

Set HTTP health check URIs during BeforeResourceStartedEvent again so surrogate resource builders that forward startup events continue to initialize their health checks. Add DCP coverage for the KeyVault-emulator-style surrogate pattern.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Bump Aspire patch version to 13.4.3

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Preserve blocking endpoint allocation dispatch

Keep ResourceEndpointsAllocatedEvent dispatch aligned with release/13.4 so subscriber exceptions propagate and endpoint allocation callbacks complete before startup proceeds.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Stabilize Kafka persistent reuse test port

Use a fixed public Kafka port for the persistent reuse test and let the shared persistent-container helper disable DCP test port randomization when a test needs explicit ports to remain stable.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: danegsta

eng/Versions.props

@@ -3,7 +3,7 @@
     <!-- This repo version -->
     <MajorVersion>13</MajorVersion>
     <MinorVersion>4</MinorVersion>
-    <PatchVersion>2</PatchVersion>
+    <PatchVersion>3</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <PreReleaseVersionLabel>preview.1</PreReleaseVersionLabel>
     <DefaultTargetFramework>net8.0</DefaultTargetFramework>

src/Aspire.Hosting/ApplicationModel/EndpointAnnotation.cs

@@ -209,8 +209,6 @@ public int? Port
         }
     }
 
-    internal int? SpecifiedPort => _port;
-
     /// <summary>
     /// This is the port the resource is listening on. If the endpoint is used for the container, it is the container port.
     /// </summary>

src/Aspire.Hosting/ApplicationModel/EndpointReference.cs

@@ -221,26 +221,6 @@ public ReferenceExpression GetTlsValue(ReferenceExpression enabledValue, Referen
         GetAllocatedEndpoint()
         ?? throw new InvalidOperationException($"The endpoint `{EndpointName}` is not allocated for the resource `{Resource.Name}`.");
 
-    internal Task<AllocatedEndpoint> GetAllocatedEndpointAsync(NetworkIdentifier networkId, CancellationToken cancellationToken = default)
-    {
-        var endpointAnnotation = EndpointAnnotation;
-        if (endpointAnnotation.AllAllocatedEndpoints.TryGetAllocatedEndpoint(networkId, out var endpoint))
-        {
-            return Task.FromResult(endpoint);
-        }
-
-        foreach (var allocationAnnotation in Resource.Annotations.OfType<OnDemandEndpointAllocationAnnotation>())
-        {
-            endpoint = allocationAnnotation.TryAllocate(endpointAnnotation, networkId);
-            if (endpoint is not null)
-            {
-                return Task.FromResult(endpoint);
-            }
-        }
-
-        return endpointAnnotation.AllAllocatedEndpoints.GetAllocatedEndpointAsync(networkId, cancellationToken);
-    }
-
     private EndpointAnnotation? GetEndpointAnnotation()
     {
         if (_endpointAnnotation is not null)
@@ -391,7 +371,7 @@ public class EndpointReferenceExpression(EndpointReference endpointReference, En
 
         async ValueTask<string?> ResolveValueWithAllocatedAddress()
         {
-            var allocatedEndpoint = await Endpoint.GetAllocatedEndpointAsync(networkContext, cancellationToken).ConfigureAwait(false);
+            var allocatedEndpoint = await Endpoint.EndpointAnnotation.AllAllocatedEndpoints.GetAllocatedEndpointAsync(networkContext, cancellationToken).ConfigureAwait(false);
 
             return Property switch
             {

src/Aspire.Hosting/ApplicationModel/OnDemandEndpointAllocationAnnotation.cs

@@ -199,7 +199,7 @@ public IEnumerable<RenderedModelResource<Container>> PrepareObjects()
             }
 
             var containerAppResource = new RenderedModelResource<Container>(container, ctr);
-            DcpModelUtilities.AddServicesProducedInfo(containerAppResource, _appResources.Get(), _logger);
+            DcpModelUtilities.AddServicesProducedInfo(containerAppResource, _appResources.Get());
             _appResources.Add(containerAppResource);
             result.Add(containerAppResource);
         }
@@ -316,19 +316,13 @@ private async Task BuildAndCreateContainerAsync(RenderedModelResource<Container>
         spec.RunArgs = runArgs;
 
         var (configuration, pemCertificates, createFiles) = await BuildContainerConfiguration(cr, logger, cToken).ConfigureAwait(false);
-        // Configuration callbacks are the last pre-creation point where on-demand allocation can run.
-        cr.ModelResource.Annotations
-            .OfType<OnDemandEndpointAllocationAnnotation>()
-            .SingleOrDefault()
-            ?.StopAllocating();
 
         if (configuration.Exception is not null)
         {
             throw new FailedToApplyEnvironmentException($"Failed to apply configuration to container {cr.ModelResource.Name}", configuration.Exception);
         }
 
-        // Environment callbacks can resolve proxyless endpoint ports and commit a fallback host port,
-        // so build ports afterward.
+        // Configuration callbacks can update endpoint metadata, so build ports afterward.
         if (cr.ServicesProduced.Count > 0)
         {
             spec.Ports = BuildContainerPorts(cr);
@@ -993,7 +987,7 @@ private static List<ContainerPortSpec> BuildContainerPorts(RenderedModelResource
                 ContainerPort = ea.TargetPort,
             };
 
-            if (!ea.IsProxied && ea.SpecifiedPort is int hostPort)
+            if (!ea.IsProxied && ea.Port is int hostPort)
             {
                 sp.Service.Spec.Port ??= hostPort;
                 portSpec.HostPort = hostPort;

src/Aspire.Hosting/Dcp/ContainerCreator.cs

@@ -113,7 +113,7 @@ public DcpExecutor(ILogger<DcpExecutor> logger,
         _executionContext = executionContext;
         _appResources = appResources;
 
-        _resourceWatcher = new DcpResourceWatcher(logger, kubernetesService, loggerService, executorEvents, model, _appResources, _configuration, PublishLateEndpointsAllocatedEventAsync, profilingTelemetry, _shutdownCancellation.Token);
+        _resourceWatcher = new DcpResourceWatcher(logger, kubernetesService, loggerService, executorEvents, model, _appResources, _configuration, profilingTelemetry, _shutdownCancellation.Token);
 
         DeleteResourceRetryPipeline = DcpPipelineBuilder.BuildDeleteRetryPipeline(logger);
 
@@ -195,59 +195,47 @@ public async Task RunApplicationAsync(CancellationToken ct = default)
 
             var createContainerNetworks = Task.Run(() => CreateAllDcpObjectsAsync<ContainerNetwork>(ct), ct);
 
-            var createWorkloadEndpoints = Task.Run(async () =>
+            var createExecutableEndpoints = Task.Run(async () =>
             {
-                await Task.WhenAll([getProxyAddresses, createContainerNetworks]).WaitAsync(ct).ConfigureAwait(false);
+                await getProxyAddresses.ConfigureAwait(false);
 
-                List<IResource> endpointAllocatedResources = [];
                 foreach (var executable in executables)
                 {
                     if (DcpModelUtilities.TryAddWorkloadAllocatedEndpoints(
                         executable,
                         _options.Value.EnableAspireContainerTunnel,
-                        ContainerHostName,
-                        allowPendingDynamicProxylessContainerEndpoints: false))
-                    {
-                        endpointAllocatedResources.Add(executable.ModelResource);
-                    }
-                }
-
-                foreach (var container in containers)
-                {
-                    if (DcpModelUtilities.TryAddWorkloadAllocatedEndpoints(
-                        container,
-                        _options.Value.EnableAspireContainerTunnel,
-                        ContainerHostName,
-                        allowPendingDynamicProxylessContainerEndpoints: true))
+                        ContainerHostName))
                     {
-                        endpointAllocatedResources.Add(container.ModelResource);
+                        await PublishEndpointsAllocatedEventAsync(executable.ModelResource, ct).ConfigureAwait(false);
                     }
                 }
-
-                // Allocate every endpoint that is known before workload creation before publishing any
-                // resource-specific endpoint events. URL callbacks can reference endpoints on other
-                // resources, so publishing per-resource while another resource is still allocating can
-                // make a valid cross-resource callback observe an unallocated endpoint.
-                foreach (var resource in endpointAllocatedResources.Distinct())
-                {
-                    await PublishEndpointsAllocatedEventAsync(resource, ct).ConfigureAwait(false);
-                }
             }, ct);
 
             var createExecutables = Task.Run(async () =>
             {
-                await createWorkloadEndpoints.ConfigureAwait(false);
+                await createExecutableEndpoints.ConfigureAwait(false);
 
                 await CreateRenderedResourcesAsync(_executableCreator, executables, EmptyCreationContext.s_instance, ct).ConfigureAwait(false);
             }, ct);
 
             // Configuring containers that use the tunnel require these host network-side endpoints for Executables to be ready.
-            var cctx = new ContainerCreationContext(createContainerNetworks, createWorkloadEndpoints, ct);
+            var cctx = new ContainerCreationContext(createContainerNetworks, createExecutableEndpoints, ct);
             _containerContextSource.SetResult(cctx);
 
             var createContainers = Task.Run(async () =>
             {
-                await createWorkloadEndpoints.ConfigureAwait(false);
+                await Task.WhenAll([getProxyAddresses, createContainerNetworks]).WaitAsync(ct).ConfigureAwait(false);
+
+                foreach (var container in containers)
+                {
+                    if (DcpModelUtilities.TryAddWorkloadAllocatedEndpoints(
+                        container,
+                        _options.Value.EnableAspireContainerTunnel,
+                        ContainerHostName))
+                    {
+                        await PublishEndpointsAllocatedEventAsync(container.ModelResource, ct).ConfigureAwait(false);
+                    }
+                }
 
                 await CreateRenderedResourcesAsync(_containerCreator, containers, cctx, ct).ConfigureAwait(false);
             }, ct);
@@ -670,9 +658,7 @@ private void PrepareServices()
                 }
                 else
                 {
-                    port = sp.ModelResource.IsContainer() && !endpoint.IsProxied
-                        ? endpoint.SpecifiedPort
-                        : endpoint.Port;
+                    port = endpoint.Port;
                 }
                 svc.Spec.Port = port;
                 svc.Spec.Protocol = PortProtocol.FromProtocolType(endpoint.Protocol);
@@ -711,7 +697,7 @@ static bool GetEffectiveIsProxied(IResource resource, EndpointAnnotation endpoin
                 return isProxied;
             }
 
-            return !resource.HasPersistentLifetime();
+            return !resource.HasPersistentLifetime() || resource.IsContainer();
         }
 
         var containers = _model.Resources.Where(r => r.IsContainer());
@@ -1224,14 +1210,6 @@ private async Task<bool> PublishEndpointsAllocatedEventAsync(IResource resource,
         return true;
     }
 
-    private async Task PublishLateEndpointsAllocatedEventAsync(IResource resource, CancellationToken ct)
-    {
-        if (await PublishEndpointsAllocatedEventAsync(resource, ct).ConfigureAwait(false))
-        {
-            await PublishConnectionStringAvailableEventAsync(resource, ct).ConfigureAwait(false);
-        }
-    }
-
     private async Task PublishConnectionStringAvailableEventAsync(IResource resource, CancellationToken ct)
     {
         if (!DcpModelUtilities.AreResourceEndpointsAllocated(resource))

src/Aspire.Hosting/Dcp/DcpExecutor.cs

@@ -7,7 +7,6 @@
 using System.Net;
 using Aspire.Hosting.ApplicationModel;
 using Aspire.Hosting.Dcp.Model;
-using Microsoft.Extensions.Logging;
 
 namespace Aspire.Hosting.Dcp;
 
@@ -34,8 +33,7 @@ internal static bool ShouldDeferCreateForExplicitStart(IResource modelResource,
     /// </summary>
     internal static void AddServicesProducedInfo<TDcpResource>(
         RenderedModelResource<TDcpResource> appResource,
-        IEnumerable<IAppResource> appResources,
-        ILogger? logger = null)
+        IEnumerable<IAppResource> appResources)
         where TDcpResource : CustomResource, IKubernetesStaticMetadata
     {
         var modelResource = appResource.ModelResource;
@@ -89,16 +87,6 @@ internal static void AddServicesProducedInfo<TDcpResource>(
             appResource.ServicesProduced.Add(sp);
         }
 
-        if (appResource.ServicesProduced.Any(sp => IsDynamicProxylessContainerEndpoint(appResource, sp)) &&
-            !modelResource.Annotations.OfType<OnDemandEndpointAllocationAnnotation>().Any())
-        {
-            // These endpoints normally get their host port during container creation. If a
-            // reference needs the allocated endpoint while building the container configuration,
-            // commit the fallback port before waiting would deadlock resource creation.
-            modelResource.Annotations.Add(new OnDemandEndpointAllocationAnnotation(
-                (endpoint, networkId) => TryAllocateDynamicProxylessContainerEndpoint(appResource, endpoint, networkId, logger)));
-        }
-
         static bool HasMultipleReplicas(CustomResource resource)
         {
             if (resource is Executable exe && exe.Metadata.Annotations.TryGetValue(CustomResource.ResourceReplicaCount, out var value) && int.TryParse(value, CultureInfo.InvariantCulture, out var replicas) && replicas > 1)
@@ -117,22 +105,19 @@ internal static void AddWorkloadAllocatedEndpoints<TDcpResource>(
     {
         foreach (var res in resources)
         {
-            TryAddWorkloadAllocatedEndpoints(res, enableAspireContainerTunnel, containerHostName, allowPendingDynamicProxylessContainerEndpoints: false);
+            TryAddWorkloadAllocatedEndpoints(res, enableAspireContainerTunnel, containerHostName);
         }
     }
 
     internal static bool TryAddWorkloadAllocatedEndpoints<TDcpResource>(
         RenderedModelResource<TDcpResource> resource,
         bool enableAspireContainerTunnel,
-        string containerHostName,
-        bool allowPendingDynamicProxylessContainerEndpoints)
+        string containerHostName)
         where TDcpResource : CustomResource, IKubernetesStaticMetadata
     {
         foreach (var sp in resource.ServicesProduced)
         {
-            if (TryAddLocalhostAllocatedEndpoint(
-                sp,
-                allowPending: allowPendingDynamicProxylessContainerEndpoints && IsDynamicProxylessContainerEndpoint(resource, sp)))
+            if (TryAddLocalhostAllocatedEndpoint(sp, allowPending: false))
             {
                 AddContainerNetworkAllocatedEndpoint(resource, sp);
                 AddExecutableContainerNetworkAllocatedEndpoint(resource, sp, enableAspireContainerTunnel, containerHostName);
@@ -142,41 +127,33 @@ internal static bool TryAddWorkloadAllocatedEndpoints<TDcpResource>(
         return AreResourceEndpointsAllocated(resource.ModelResource);
     }
 
-    internal static bool TryApplyServiceAddressToEndpoint(Service observedService, IEnumerable<IAppResource> appResources, [NotNullWhen(true)] out IResource? modelResource)
+    internal static void ApplyServiceAddressToEndpoint(Service observedService, IEnumerable<IAppResource> appResources)
     {
         var serviceResource = appResources.OfType<ServiceWithModelResource>()
             .FirstOrDefault(swr => string.Equals(swr.DcpResource.Metadata.Name, observedService.Metadata.Name, StringComparison.Ordinal));
 
         if (serviceResource is null)
         {
-            modelResource = null;
-            return false;
+            return;
         }
 
         serviceResource.Service.ApplyAddressInfoFrom(observedService);
-        var isDynamicProxylessContainerEndpoint = appResources.OfType<RenderedModelResource<Container>>()
-            .Any(resource => ReferenceEquals(resource.ModelResource, serviceResource.ModelResource) &&
-                IsDynamicProxylessContainerEndpoint(resource, serviceResource));
         if (!TryAddLocalhostAllocatedEndpoint(serviceResource, allowPending: true))
         {
-            modelResource = null;
-            return false;
+            return;
         }
 
         foreach (var containerResource in appResources.OfType<RenderedModelResource<Container>>()
             .Where(resource => ReferenceEquals(resource.ModelResource, serviceResource.ModelResource)))
         {
             AddContainerNetworkAllocatedEndpoint(containerResource, serviceResource);
         }
-
-        modelResource = serviceResource.ModelResource;
-        return isDynamicProxylessContainerEndpoint && AreResourceEndpointsAllocated(modelResource);
     }
 
-    private static bool TryAddLocalhostAllocatedEndpoint(ServiceWithModelResource sp, bool allowPending, int? fallbackPort = null)
+    private static bool TryAddLocalhostAllocatedEndpoint(ServiceWithModelResource sp, bool allowPending)
     {
         var svc = sp.DcpResource;
-        var allocatedPort = svc.AllocatedPort ?? fallbackPort;
+        var allocatedPort = svc.AllocatedPort;
 
         if (sp.EndpointAnnotation.AllocatedEndpoint is not null)
         {
@@ -283,50 +260,6 @@ internal static bool AreResourceEndpointsAllocated(IResource resource)
         return !resource.TryGetEndpoints(out var endpoints) || endpoints.All(e => e.AllocatedEndpoint is not null);
     }
 
-    private static bool IsDynamicProxylessContainerEndpoint<TDcpResource>(RenderedModelResource<TDcpResource> resource, ServiceWithModelResource sp)
-        where TDcpResource : CustomResource, IKubernetesStaticMetadata
-    {
-        return resource.DcpResource is Container &&
-            !sp.EndpointAnnotation.IsProxied &&
-            sp.EndpointAnnotation.SpecifiedPort is null;
-    }
-
-    private static AllocatedEndpoint? TryAllocateDynamicProxylessContainerEndpoint<TDcpResource>(
-        RenderedModelResource<TDcpResource> resource,
-        EndpointAnnotation endpoint,
-        NetworkIdentifier networkId,
-        ILogger? logger)
-        where TDcpResource : CustomResource, IKubernetesStaticMetadata
-    {
-        var sp = resource.ServicesProduced.SingleOrDefault(sp =>
-            ReferenceEquals(sp.EndpointAnnotation, endpoint) &&
-            IsDynamicProxylessContainerEndpoint(resource, sp));
-        if (sp is null)
-        {
-            return null;
-        }
-
-        Debug.Assert(endpoint.TargetPort is not null);
-
-        var targetPort = endpoint.TargetPort.Value;
-        endpoint.Port = targetPort;
-        logger?.LogInformation(
-            "Endpoint '{EndpointName}' on container resource '{ResourceName}' was resolved before the container was created, so Aspire is assigning public port {PublicPort} to match target port {TargetPort} for proxyless access.",
-            endpoint.Name,
-            sp.ModelResource.Name,
-            targetPort,
-            targetPort);
-
-        if (TryAddLocalhostAllocatedEndpoint(sp, allowPending: false, fallbackPort: targetPort))
-        {
-            AddContainerNetworkAllocatedEndpoint(resource, sp);
-        }
-
-        return endpoint.AllAllocatedEndpoints.TryGetAllocatedEndpoint(networkId, out var allocatedEndpoint)
-            ? allocatedEndpoint
-            : null;
-    }
-
     internal static void AddContainerTunnelAllocatedEndpoints(
         IEnumerable<IResource> affectedResources,
         DcpAppResourceStore allAppResources,