policy: Add NetworkPolicyResourcesDiscoveryService

Add new cilium/versioned.h generic container for transactional selector
updates.

Add a new NetworkPolicyResourceDiscoveryService that implements delta
updates for policies and selectors, and where policies refer to selectors
by their resource name.

NPRDS adds a top-level oneof wrapper that wraps either a Selector or a
NetworkPolicy. NetworkPolicy definition is shared with NPDS, but
PortNetworkPolicyRule adds a new selectors field that is only used with
NPRDS.

Store the latest desired ConfigSource in the policy map and use it for:
- initial policy map subscription
- re-subscription when connection under current subscription is terminated
- a healthy network policy stream is not disrupted, unless the desired
  config is for delta xDS and the current one is not

This means that we switch to delta mode eagerly when we have evidence
that the agent is capable, but we switch to SotW mode only when xDS
stream transport had failed to connect or closes.

This should work for Cilium Agent upgrades and downgrades, as the agent
expresses the desired mode, and listens for both.

Clear the resource map on a first update on a new stream. This fixes NACK
cases where further updates on the stream would have IP collisions with
resources that were kept from the previous stream.

We record a stream generation number for new stream detection
purposes. This is implemented using the new stream events callback
implemented in NetworkPolicyMapImpl, where the stream generation number
is stored as a static member that is updated via the stream event
callback.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>

Author: jrajahalme

cilium/BUILD

@@ -28,6 +28,17 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "versioned_lib",
+    hdrs = ["versioned.h"],
+    repository = "@envoy",
+    deps = [
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/container:flat_hash_set",
+        "@envoy//source/common/common:assert_lib",
+    ],
+)
+
 envoy_cc_library(
     name = "network_policy_lib",
     srcs = [
@@ -45,6 +56,7 @@ envoy_cc_library(
         "//cilium:conntrack_lib",
         "//cilium:grpc_subscription_lib",
         "//cilium:ipcache_lib",
+        "//cilium:versioned_lib",
         "//cilium/api:npds_cc_proto",
         "@envoy//envoy/singleton:manager_interface",
         "@envoy//source/common/common:logger_lib",

cilium/api/npds.proto

@@ -17,6 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Network policy management and NPDS]
 
 // Each resource name is a network policy identifier.
+// Deprecated: This service will be removed when Cilium 1.20 is the oldest supported release.
 service NetworkPolicyDiscoveryService {
   option (envoy.annotations.resource).type = "cilium.NetworkPolicy";
 
@@ -33,6 +34,32 @@ service NetworkPolicyDiscoveryService {
   }
 }
 
+// Policy and selector resource names are exact-match identifiers in delta NPDS.
+service NetworkPolicyResourceDiscoveryService {
+  option (envoy.annotations.resource).type = "cilium.NetworkPolicyResource";
+
+  rpc DeltaNetworkPolicyResources(stream envoy.service.discovery.v3.DeltaDiscoveryRequest)
+      returns (stream envoy.service.discovery.v3.DeltaDiscoveryResponse) {
+  }
+}
+
+// A delta NPDS resource that carries either an endpoint policy or a shared selector.
+message NetworkPolicyResource {
+  oneof resource {
+    NetworkPolicy policy = 1;
+    Selector selector = 2;
+  }
+}
+
+// A shared set of remote identities referenced by selector resource name.
+// Unlike the old state-of-the-world remote identity lists, an empty selector
+// matches nothing.
+message Selector {
+  // The set of numeric remote security IDs selected by this selector.
+  // If empty, this selector selects no remote identities.
+  repeated uint32 remote_identities = 1;
+}
+
 // A network policy that is enforced by a filter on the network flows to/from
 // associated hosts.
 message NetworkPolicy {
@@ -153,6 +180,12 @@ message PortNetworkPolicyRule {
   // Optional. If not specified, any remote host is matched by this predicate.
   repeated uint32 remote_policies = 7;
 
+  // Optional selector resource names that can be resolved to shared remote
+  // policy sets in delta NPDS.
+  // Selector references are matched by exact selector resource name.
+  // Optional. If not specified, any remote host is matched by this predicate.
+  repeated string selectors = 11;
+
   // Optional downstream TLS context. If present, the incoming connection must
   // be a TLS connection.
   TLSContext downstream_tls_context = 3;

cilium/bpf_metadata.cc

@@ -285,6 +285,8 @@ Config::Config(const ::cilium::BpfMetadata& config,
             [&context, config_source = config_source_] {
               return std::make_shared<Cilium::NetworkPolicyMap>(context, config_source, true);
             });
+    // update desired config source on the map
+    npmap_->setConfigSource(config_source_);
   }
 }
 

cilium/grpc_subscription.cc

@@ -87,6 +87,7 @@ TypeUrlToServiceMap* buildTypeUrlToServiceMap() {
   // https://www.mail-archive.com/protobuf@googlegroups.com/msg04540.html.
   for (absl::string_view name : {
            "cilium.NetworkPolicyDiscoveryService",
+           "cilium.NetworkPolicyResourceDiscoveryService",
            "cilium.NetworkPolicyHostsDiscoveryService",
        }) {
     const auto* service_desc =