cilium · nezdolik · Apr 9, 2026
@@ -200,23 +200,27 @@ SINGLETON_MANAGER_REGISTRATION(cilium_network_policy);
 
 namespace {
 
-std::shared_ptr<const Cilium::PolicyHostMap>
+absl::StatusOr<std::shared_ptr<const Cilium::PolicyHostMap>>
 createHostMap(Server::Configuration::ListenerFactoryContext& context,
               envoy::config::core::v3::ConfigSource& npds_config) {
   return context.serverFactoryContext().singletonManager().getTyped<const Cilium::PolicyHostMap>(
       SINGLETON_MANAGER_REGISTERED_NAME(cilium_host_map), [&context, npds_config] {
         auto map = std::make_shared<Cilium::PolicyHostMap>(context.serverFactoryContext());
+        absl::Status subscription_status = absl::OkStatus();
         map->startSubscription(context.serverFactoryContext(), npds_config);
         return map;
       });
 }
 
-std::shared_ptr<const Cilium::NetworkPolicyMap>
+absl::StatusOr<std::shared_ptr<const Cilium::NetworkPolicyMap>>
 createPolicyMap(Server::Configuration::FactoryContext& context,
                 envoy::config::core::v3::ConfigSource& npds_config) {
   return context.serverFactoryContext().singletonManager().getTyped<const Cilium::NetworkPolicyMap>(
       SINGLETON_MANAGER_REGISTERED_NAME(cilium_network_policy), [&context, npds_config] {
-        return std::make_shared<Cilium::NetworkPolicyMap>(context, npds_config, true);
+        absl::Status creation_status = absl::OkStatus();
+        auto policy_map = std::make_shared<Cilium::NetworkPolicyMap>(context, npds_config, creation_status, true);
+        RETURN_IF_NOT_OK_REF(creation_status);
+        return policy_map;
       });
 }
 

@@ -121,7 +121,7 @@ const Protobuf::MethodDescriptor& sotwGrpcMethod(absl::string_view type_url) {
 }
 
 std::unique_ptr<Config::GrpcSubscriptionImpl>
-subscribe(const std::string& type_url, const envoy::config::core::v3::ConfigSource& npds_config,
+subscribe(const absl::string_view type_url, const envoy::config::core::v3::ConfigSource& npds_config,
           const LocalInfo::LocalInfo& local_info, Upstream::ClusterManager& cm,
           Event::Dispatcher& dispatcher, Random::RandomGenerator& random, Stats::Scope& scope,
           Config::SubscriptionCallbacks& callbacks,

@@ -44,7 +44,7 @@ class GrpcMuxImpl : public Config::GrpcMuxImpl {
 };
 
 std::unique_ptr<Config::GrpcSubscriptionImpl>
-subscribe(const std::string& type_url, const envoy::config::core::v3::ConfigSource& npds_config,
+subscribe(const absl::string_view type_url, const envoy::config::core::v3::ConfigSource& npds_config,
           const LocalInfo::LocalInfo& local_info, Upstream::ClusterManager& cm,
           Event::Dispatcher& dispatcher, Random::RandomGenerator& random, Stats::Scope& scope,
           Config::SubscriptionCallbacks& callbacks,

@@ -31,6 +31,10 @@
 namespace Envoy {
 namespace Cilium {
 
+namespace {
+
+  constexpr absl::string_view NetworkPolicyHostsTypeUrl = "type.googleapis.com/cilium.NetworkPolicyHosts";
+
 template <typename T>
 unsigned int checkPrefix(T addr, bool have_prefix, unsigned int plen, absl::string_view host) {
   const unsigned int plen_max = sizeof(T) * 8;
@@ -47,6 +51,9 @@ unsigned int checkPrefix(T addr, bool have_prefix, unsigned int plen, absl::stri
   return plen;
 }
 
+}// namespace
+
+
 struct ThreadLocalHostMapInitializer : public PolicyHostMap::ThreadLocalHostMap {
 protected:
   friend class PolicyHostMap; // PolicyHostMap can insert();
@@ -171,12 +178,23 @@ PolicyHostMap::PolicyHostMap(Server::Configuration::CommonFactoryContext& contex
   scope_ = context.serverScope().createScope(name_);
 }
 
-void PolicyHostMap::startSubscription(Server::Configuration::CommonFactoryContext& context,
-                                      const envoy::config::core::v3::ConfigSource& npds_config) {
-  subscription_ = subscribe("type.googleapis.com/cilium.NetworkPolicyHosts", npds_config,
+
+void PolicyHostMap::startSubscription(
+    Server::Configuration::ServerFactoryContext& context,
+    const envoy::config::core::v3::ConfigSource& npds_config) {
+    if (npds_config.has_api_config_source() && npds_config.config_source_specifier_case() ==
+                                                        envoy::config::core::v3::ConfigSource::kAds) {  
+    subscription_ = THROW_OR_RETURN_VALUE(
+      context.clusterManager().subscriptionFactory().subscriptionOverAdsGrpcMux(
+        context.xdsManager().adsMux(), npds_config.value(), NetworkPolicyHostsTypeUrl,
+        *scope_, *this, std::make_shared<Cilium::PolicyHostDecoder>(), {}), Config::SubscriptionPtr);
+  } else {
+      subscription_ = subscribe(NetworkPolicyHostsTypeUrl, npds_config,
                             context.localInfo(), context.clusterManager(),
                             context.mainThreadDispatcher(), context.api().randomGenerator(),
                             *scope_, *this, std::make_shared<Cilium::PolicyHostDecoder>());
+  }
+
   subscription_->start({});
 }
 

@@ -60,6 +60,12 @@
 #include "cilium/ipcache.h"
 #include "cilium/secret_watcher.h"
 
+namespace {
+
+  constexpr std::string NetworkPolicyTypeUrl = "type.googleapis.com/cilium.NetworkPolicy";
+
+}//namespace
+
 namespace fmt {
 
 template <> struct formatter<Envoy::Cilium::RuleVerdict> {
@@ -1838,7 +1844,7 @@ NetworkPolicyMap::NetworkPolicyMap(Server::Configuration::FactoryContext& contex
   }
 
   if (subscribe) {
-    getImpl().startSubscription();
+    getImpl().startSubscription(npds_config);
   }
 }
 
@@ -1894,11 +1900,22 @@ NetworkPolicyMapImpl::~NetworkPolicyMapImpl() {
   delete load();
 }
 
-void NetworkPolicyMapImpl::startSubscription() {
-  subscription_ = subscribe("type.googleapis.com/cilium.NetworkPolicy", npds_config_,
-                            context_.localInfo(), context_.clusterManager(),
-                            context_.mainThreadDispatcher(), context_.api().randomGenerator(),
-                            *npds_stats_scope_, *this, std::make_shared<NetworkPolicyDecoder>());
+void NetworkPolicyMapImpl::startSubscription(
+    const envoy::config::core::v3::ConfigSource& npds_config) {
+    if (npds_config.value().has_api_config_source() && npds_config.value().config_source_specifier_case() ==
+                                                        envoy::config::core::v3::ConfigSource::kAds) {  
+    subscription_ = THROW_OR_RETURN_VALUE(
+      context_.clusterManager().subscriptionFactory().subscriptionOverAdsGrpcMux(
+        context_.xdsManager().adsMux(), npds_config.value(), NetworkPolicyTypeUrl,
+        *scope_, *this, std::make_shared<Cilium::PolicyHostDecoder>(), {}), Config::SubscriptionPtr);
+  } else {
+    subscription_ = subscribe(NetworkPolicyTypeUrl, npds_config,
+                              context_.localInfo(), context_.clusterManager(),
+                              context_.mainThreadDispatcher(), context_.api().randomGenerator(),
+                              *npds_stats_scope_, *this, std::make_shared<NetworkPolicyDecoder>());
+  }
+
+  subscription_->start({});
 }
 
 void NetworkPolicyMapImpl::tlsWrapperMissingPolicyInc() const {

@@ -237,9 +237,8 @@ class NetworkPolicyMapImpl : public Envoy::Config::SubscriptionCallbacks,
                        const envoy::config::core::v3::ConfigSource& npds_config);
   ~NetworkPolicyMapImpl() override;
 
-  void startSubscription();
-
-  const envoy::config::core::v3::ConfigSource& getConfigSource() const { return npds_config_; }
+  void
+  startSubscription(const envoy::config::core::v3::ConfigSource& npds_config);
 
   // This is used for testing with a file-based subscription
   void startSubscription(std::unique_ptr<Envoy::Config::Subscription>&& subscription) {
@@ -346,7 +345,7 @@ class NetworkPolicyMap : public Singleton::Instance, public Logger::Loggable<Log
 public:
   NetworkPolicyMap(Server::Configuration::FactoryContext& context,
                    const envoy::config::core::v3::ConfigSource& npds_config,
-                   bool subscribe = false);
+                   absl::Status& creation_status, bool subscribe = false);
   ~NetworkPolicyMap() override;
 
   // This is used for testing with a file-based subscription