diff --git a/cilium/bpf_metadata.cc b/cilium/bpf_metadata.cc index b7161e1c4..ec21c3599 100644 --- a/cilium/bpf_metadata.cc +++ b/cilium/bpf_metadata.cc @@ -200,23 +200,27 @@ SINGLETON_MANAGER_REGISTRATION(cilium_network_policy); namespace { -std::shared_ptr +absl::StatusOr> createHostMap(Server::Configuration::ListenerFactoryContext& context, envoy::config::core::v3::ConfigSource& npds_config) { return context.serverFactoryContext().singletonManager().getTyped( SINGLETON_MANAGER_REGISTERED_NAME(cilium_host_map), [&context, npds_config] { auto map = std::make_shared(context.serverFactoryContext()); + absl::Status subscription_status = absl::OkStatus(); map->startSubscription(context.serverFactoryContext(), npds_config); return map; }); } -std::shared_ptr +absl::StatusOr> createPolicyMap(Server::Configuration::FactoryContext& context, envoy::config::core::v3::ConfigSource& npds_config) { return context.serverFactoryContext().singletonManager().getTyped( SINGLETON_MANAGER_REGISTERED_NAME(cilium_network_policy), [&context, npds_config] { - return std::make_shared(context, npds_config, true); + absl::Status creation_status = absl::OkStatus(); + auto policy_map = std::make_shared(context, npds_config, creation_status, true); + RETURN_IF_NOT_OK_REF(creation_status); + return policy_map; }); } diff --git a/cilium/grpc_subscription.cc b/cilium/grpc_subscription.cc index 891b66662..98ecdb741 100644 --- a/cilium/grpc_subscription.cc +++ b/cilium/grpc_subscription.cc @@ -121,7 +121,7 @@ const Protobuf::MethodDescriptor& sotwGrpcMethod(absl::string_view type_url) { } std::unique_ptr -subscribe(const std::string& type_url, const envoy::config::core::v3::ConfigSource& npds_config, +subscribe(const absl::string_view type_url, const envoy::config::core::v3::ConfigSource& npds_config, const LocalInfo::LocalInfo& local_info, Upstream::ClusterManager& cm, Event::Dispatcher& dispatcher, Random::RandomGenerator& random, Stats::Scope& scope, Config::SubscriptionCallbacks& callbacks, diff --git a/cilium/grpc_subscription.h b/cilium/grpc_subscription.h index 1a158b0e6..b2311be04 100644 --- a/cilium/grpc_subscription.h +++ b/cilium/grpc_subscription.h @@ -44,7 +44,7 @@ class GrpcMuxImpl : public Config::GrpcMuxImpl { }; std::unique_ptr -subscribe(const std::string& type_url, const envoy::config::core::v3::ConfigSource& npds_config, +subscribe(const absl::string_view type_url, const envoy::config::core::v3::ConfigSource& npds_config, const LocalInfo::LocalInfo& local_info, Upstream::ClusterManager& cm, Event::Dispatcher& dispatcher, Random::RandomGenerator& random, Stats::Scope& scope, Config::SubscriptionCallbacks& callbacks, diff --git a/cilium/host_map.cc b/cilium/host_map.cc index f8621b2ca..138a47a18 100644 --- a/cilium/host_map.cc +++ b/cilium/host_map.cc @@ -31,6 +31,10 @@ namespace Envoy { namespace Cilium { +namespace { + + constexpr absl::string_view NetworkPolicyHostsTypeUrl = "type.googleapis.com/cilium.NetworkPolicyHosts"; + template unsigned int checkPrefix(T addr, bool have_prefix, unsigned int plen, absl::string_view host) { const unsigned int plen_max = sizeof(T) * 8; @@ -47,6 +51,9 @@ unsigned int checkPrefix(T addr, bool have_prefix, unsigned int plen, absl::stri return plen; } +}// namespace + + struct ThreadLocalHostMapInitializer : public PolicyHostMap::ThreadLocalHostMap { protected: friend class PolicyHostMap; // PolicyHostMap can insert(); @@ -171,12 +178,23 @@ PolicyHostMap::PolicyHostMap(Server::Configuration::CommonFactoryContext& contex scope_ = context.serverScope().createScope(name_); } -void PolicyHostMap::startSubscription(Server::Configuration::CommonFactoryContext& context, - const envoy::config::core::v3::ConfigSource& npds_config) { - subscription_ = subscribe("type.googleapis.com/cilium.NetworkPolicyHosts", npds_config, + +void PolicyHostMap::startSubscription( + Server::Configuration::ServerFactoryContext& context, + const envoy::config::core::v3::ConfigSource& npds_config) { + if (npds_config.has_api_config_source() && npds_config.config_source_specifier_case() == + envoy::config::core::v3::ConfigSource::kAds) { + subscription_ = THROW_OR_RETURN_VALUE( + context.clusterManager().subscriptionFactory().subscriptionOverAdsGrpcMux( + context.xdsManager().adsMux(), npds_config.value(), NetworkPolicyHostsTypeUrl, + *scope_, *this, std::make_shared(), {}), Config::SubscriptionPtr); + } else { + subscription_ = subscribe(NetworkPolicyHostsTypeUrl, npds_config, context.localInfo(), context.clusterManager(), context.mainThreadDispatcher(), context.api().randomGenerator(), *scope_, *this, std::make_shared()); + } + subscription_->start({}); } diff --git a/cilium/network_policy.cc b/cilium/network_policy.cc index 1e8dc5814..25cf406f2 100644 --- a/cilium/network_policy.cc +++ b/cilium/network_policy.cc @@ -60,6 +60,12 @@ #include "cilium/ipcache.h" #include "cilium/secret_watcher.h" +namespace { + + constexpr std::string NetworkPolicyTypeUrl = "type.googleapis.com/cilium.NetworkPolicy"; + +}//namespace + namespace fmt { template <> struct formatter { @@ -1838,7 +1844,7 @@ NetworkPolicyMap::NetworkPolicyMap(Server::Configuration::FactoryContext& contex } if (subscribe) { - getImpl().startSubscription(); + getImpl().startSubscription(npds_config); } } @@ -1894,11 +1900,22 @@ NetworkPolicyMapImpl::~NetworkPolicyMapImpl() { delete load(); } -void NetworkPolicyMapImpl::startSubscription() { - subscription_ = subscribe("type.googleapis.com/cilium.NetworkPolicy", npds_config_, - context_.localInfo(), context_.clusterManager(), - context_.mainThreadDispatcher(), context_.api().randomGenerator(), - *npds_stats_scope_, *this, std::make_shared()); +void NetworkPolicyMapImpl::startSubscription( + const envoy::config::core::v3::ConfigSource& npds_config) { + if (npds_config.value().has_api_config_source() && npds_config.value().config_source_specifier_case() == + envoy::config::core::v3::ConfigSource::kAds) { + subscription_ = THROW_OR_RETURN_VALUE( + context_.clusterManager().subscriptionFactory().subscriptionOverAdsGrpcMux( + context_.xdsManager().adsMux(), npds_config.value(), NetworkPolicyTypeUrl, + *scope_, *this, std::make_shared(), {}), Config::SubscriptionPtr); + } else { + subscription_ = subscribe(NetworkPolicyTypeUrl, npds_config, + context_.localInfo(), context_.clusterManager(), + context_.mainThreadDispatcher(), context_.api().randomGenerator(), + *npds_stats_scope_, *this, std::make_shared()); + } + + subscription_->start({}); } void NetworkPolicyMapImpl::tlsWrapperMissingPolicyInc() const { diff --git a/cilium/network_policy.h b/cilium/network_policy.h index 3682b1252..eb11b66dc 100644 --- a/cilium/network_policy.h +++ b/cilium/network_policy.h @@ -237,9 +237,8 @@ class NetworkPolicyMapImpl : public Envoy::Config::SubscriptionCallbacks, const envoy::config::core::v3::ConfigSource& npds_config); ~NetworkPolicyMapImpl() override; - void startSubscription(); - - const envoy::config::core::v3::ConfigSource& getConfigSource() const { return npds_config_; } + void + startSubscription(const envoy::config::core::v3::ConfigSource& npds_config); // This is used for testing with a file-based subscription void startSubscription(std::unique_ptr&& subscription) { @@ -346,7 +345,7 @@ class NetworkPolicyMap : public Singleton::Instance, public Logger::Loggable