policy: Add NetworkPolicyResourcesDiscoveryService

Add new cilium/versioned.h generic container for transactional selector
updates.

Add a new NetworkPolicyResourceDiscoveryService that implements delta
(and SotW) updates for policies and selectors, and where policies refer
to selectors by their resource name.

NPRDS adds a top-level oneof wrapper that wraps either a Selector or a
NetworkPolicy. NetworkPolicy definition is shared with NPDS, but
PortNetworkPolicyRule adds a new selectors field that is only used with
NPRDS.

Add 'policy_type' enum to BpfMetadata config to control whether NPDS
(default) or NPRDS is used.

Store the latest desired ConfigSource in the policy map and use it for:
- initial policy map subscription
- re-subscription when connection under current subscription is terminated
- a healthy network policy stream is not disrupted, unless the desired
  config is for delta xDS and the current one is not

This means that we switch to NPRDS (Delta) mode eagerly when we have
evidence that the agent is capable, but we switch to NPDS (SotW) mode
only when xDS stream transport had failed to connect or closes.

This should work for Cilium Agent upgrades and downgrades, as the agent
expresses the desired mode, and listens for both.

Clear the resource map on a first update on a new stream. This fixes NACK
cases where further updates on the stream would have IP collisions with
resources that were kept from the previous stream.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>

Author: jrajahalme

cilium/BUILD

@@ -28,6 +28,17 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "versioned_lib",
+    hdrs = ["versioned.h"],
+    repository = "@envoy",
+    deps = [
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/container:flat_hash_set",
+        "@envoy//source/common/common:assert_lib",
+    ],
+)
+
 envoy_cc_library(
     name = "network_policy_lib",
     srcs = [
@@ -45,6 +56,7 @@ envoy_cc_library(
         "//cilium:conntrack_lib",
         "//cilium:grpc_subscription_lib",
         "//cilium:ipcache_lib",
+        "//cilium:versioned_lib",
         "//cilium/api:npds_cc_proto",
         "@envoy//envoy/singleton:manager_interface",
         "@envoy//source/common/common:logger_lib",

cilium/api/bpf_metadata.proto

@@ -86,4 +86,11 @@ message BpfMetadata {
 
   // Configuration for the source of Cilium xDS updates.
   envoy.config.core.v3.ConfigSource config_source = 16;
+
+  // Policy type to use
+  enum PolicyType {
+    NPDS = 0;  // Legacy NPDS (default)
+    NPRDS = 1; // New NetworkPolicyResource (NPRDS)
+  }
+  bool policy_type = 17;
 }

cilium/api/npds.proto

@@ -17,6 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Network policy management and NPDS]
 
 // Each resource name is a network policy identifier.
+// Deprecated: This service will be removed when Cilium 1.20 is the oldest supported release.
 service NetworkPolicyDiscoveryService {
   option (envoy.annotations.resource).type = "cilium.NetworkPolicy";
 
@@ -37,6 +38,36 @@ service NetworkPolicyDiscoveryService {
   }
 }
 
+// Policy and selector resource names are exact-match identifiers in NPRDS.
+service NetworkPolicyResourceDiscoveryService {
+  option (envoy.annotations.resource).type = "cilium.NetworkPolicyResource";
+
+  rpc StreamNetworkPolicyResources(stream envoy.service.discovery.v3.DiscoveryRequest)
+      returns (stream envoy.service.discovery.v3.DiscoveryResponse) {
+  }
+
+  rpc DeltaNetworkPolicyResources(stream envoy.service.discovery.v3.DeltaDiscoveryRequest)
+      returns (stream envoy.service.discovery.v3.DeltaDiscoveryResponse) {
+  }
+}
+
+// An NPRDS resource that carries either an endpoint policy or a shared selector.
+message NetworkPolicyResource {
+  oneof resource {
+    NetworkPolicy policy = 1;
+    Selector selector = 2;
+  }
+}
+
+// A shared set of remote identities referenced by selector resource name.
+// Unlike the old state-of-the-world remote identity lists, an empty selector
+// matches nothing.
+message Selector {
+  // The set of numeric remote security IDs selected by this selector.
+  // If empty, this selector selects no remote identities.
+  repeated uint32 remote_identities = 1;
+}
+
 // A network policy that is enforced by a filter on the network flows to/from
 // associated hosts.
 message NetworkPolicy {
@@ -157,6 +188,12 @@ message PortNetworkPolicyRule {
   // Optional. If not specified, any remote host is matched by this predicate.
   repeated uint32 remote_policies = 7;
 
+  // Optional selector resource names that can be resolved to shared remote
+  // policy sets in delta NPDS.
+  // Selector references are matched by exact selector resource name.
+  // Optional. If not specified, any remote host is matched by this predicate.
+  repeated string selectors = 11;
+
   // Optional downstream TLS context. If present, the incoming connection must
   // be a TLS connection.
   TLSContext downstream_tls_context = 3;

cilium/bpf_metadata.cc

@@ -281,14 +281,16 @@ Config::Config(const ::cilium::BpfMetadata& config,
   // instances!
   // Only created if either ipcache_ or hosts_ map exists
   if (ipcache_ || hosts_) {
+    bool use_nprds = config.policy_type() == cilium::BpfMetadata::NPRDS;
     npmap_ =
         context.serverFactoryContext().singletonManager().getTyped<const Cilium::NetworkPolicyMap>(
             SINGLETON_MANAGER_REGISTERED_NAME(cilium_network_policy),
-            [&context, config_source = config_source_] {
-              return std::make_shared<Cilium::NetworkPolicyMap>(context, config_source, true);
+            [&context, use_nprds, config_source = config_source_] {
+              return std::make_shared<Cilium::NetworkPolicyMap>(context, use_nprds, config_source,
+                                                                true);
             });
-    // update desired config source on the map
-    npmap_->setConfigSource(config_source_);
+    // update desired config on the map
+    npmap_->setConfig(use_nprds, config_source_);
   }
 }
 

cilium/grpc_subscription.cc

@@ -86,6 +86,7 @@ TypeUrlToServiceMap* buildTypeUrlToServiceMap() {
   // https://www.mail-archive.com/protobuf@googlegroups.com/msg04540.html.
   for (absl::string_view name : {
            "cilium.NetworkPolicyDiscoveryService",
+           "cilium.NetworkPolicyResourceDiscoveryService",
            "cilium.NetworkPolicyHostsDiscoveryService",
        }) {
     const auto* service_desc =