policy: detect new streams for delta and file-based substriptions

Replace Config::GrpcMuxImpl wrapper with stream event callback patch on
upstream so that new stream detection works on all the needed Mux types
for SotW, Delta, and ADS.

New stream detection is the means by which we detect Cilium Agent
restarts, which generally requires the ipcache bpf map to be
reopened. Delta updates also depend on this detection to force
synchronization as the restarted agent may not know which resources to
remove.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>

Author: jrajahalme

WORKSPACE

@@ -43,6 +43,7 @@ git_repository(
         "@//patches:0004-thread_local-reset-slot-in-worker-threads-first.patch",
         "@//patches:0005-http-header-expose-attribute.patch",
         "@//patches:0006-test-integration-Defer-fake-upstream-read-enable-un.patch",
+        "@//patches:0007-config-add-grpc-mux-stream-event-callback.patch",
     ],
     # // clang-format off: Envoy's format check: Only repository_locations.bzl may contains URL references
     remote = "https://github.com/envoyproxy/envoy.git",

cilium/grpc_subscription.cc

@@ -2,13 +2,14 @@
 
 #include <fmt/format.h>
 
-#include <chrono>
+#include <functional>
 #include <memory>
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "envoy/annotations/resource.pb.h"
+#include "envoy/common/callback.h"
 #include "envoy/common/exception.h"
 #include "envoy/config/core/v3/config_source.pb.h"
 #include "envoy/config/custom_config_validators.h"
@@ -26,9 +27,12 @@
 #include "source/common/grpc/common.h"
 #include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
 #include "source/extensions/config_subscription/grpc/grpc_mux_context.h"
+#include "source/extensions/config_subscription/grpc/grpc_mux_impl.h"
 #include "source/extensions/config_subscription/grpc/grpc_subscription_impl.h"
+#include "source/extensions/config_subscription/grpc/new_grpc_mux_impl.h"
 
 #include "absl/container/flat_hash_map.h"
+#include "absl/container/flat_hash_set.h"
 #include "absl/status/statusor.h"
 #include "absl/strings/match.h"
 #include "absl/strings/string_view.h"
@@ -39,6 +43,31 @@ namespace Cilium {
 
 namespace {
 
+class StreamEventSubscription : public Config::Subscription {
+public:
+  StreamEventSubscription(std::unique_ptr<Config::Subscription> subscription,
+                          Common::CallbackHandlePtr stream_event_handle)
+      : subscription_(std::move(subscription)),
+        stream_event_handle_(std::move(stream_event_handle)) {}
+
+  void start(const absl::flat_hash_set<std::string>& resource_names) override {
+    subscription_->start(resource_names);
+  }
+
+  void
+  updateResourceInterest(const absl::flat_hash_set<std::string>& update_to_these_names) override {
+    subscription_->updateResourceInterest(update_to_these_names);
+  }
+
+  void requestOnDemandUpdate(const absl::flat_hash_set<std::string>& add_these_names) override {
+    subscription_->requestOnDemandUpdate(add_these_names);
+  }
+
+private:
+  std::unique_ptr<Config::Subscription> subscription_;
+  Common::CallbackHandlePtr stream_event_handle_;
+};
+
 // service RPC method fully qualified names.
 struct Service {
   std::string sotw_grpc_method_;
@@ -58,6 +87,7 @@ TypeUrlToServiceMap* buildTypeUrlToServiceMap() {
   // https://www.mail-archive.com/protobuf@googlegroups.com/msg04540.html.
   for (absl::string_view name : {
            "cilium.NetworkPolicyDiscoveryService",
+           //"cilium.NetworkPolicyResourceDiscoveryService",
            "cilium.NetworkPolicyHostsDiscoveryService",
        }) {
     const auto* service_desc =
@@ -121,56 +151,85 @@ const Protobuf::MethodDescriptor& sotwGrpcMethod(absl::string_view type_url) {
 
 std::unique_ptr<Config::Subscription>
 subscribe(const absl::string_view type_url,
-          const envoy::config::core::v3::ConfigSource& npds_config,
+          const envoy::config::core::v3::ConfigSource& config_source,
           Server::Configuration::CommonFactoryContext& context, Stats::Scope& scope,
           Config::SubscriptionCallbacks& callbacks,
           Config::OpaqueResourceDecoderSharedPtr resource_decoder,
-          std::chrono::milliseconds init_fetch_timeout) {
-  auto& api_config_source = npds_config.api_config_source();
-  THROW_IF_NOT_OK(Config::Utility::checkApiConfigSourceSubscriptionBackingCluster(
-      context.clusterManager().primaryClusters(), api_config_source));
-
+          Config::GrpcMuxStreamEventCallback on_stream_event) {
+  auto initial_fetch_timeout = Config::Utility::configSourceInitialFetchTimeout(config_source);
   Config::SubscriptionStats stats = Config::Utility::generateStats(scope);
   Envoy::Config::SubscriptionOptions options;
 
-  // No-op custom validators
-  Envoy::Config::CustomConfigValidatorsPtr nop_config_validators =
-      std::make_unique<NopConfigValidatorsImpl>();
-  auto factory_or_error = Config::Utility::factoryForGrpcApiConfigSource(
-      context.clusterManager().grpcAsyncClientManager(), api_config_source, scope, true, 0, false);
-  THROW_IF_NOT_OK_REF(factory_or_error.status());
-
-  absl::StatusOr<Config::RateLimitSettings> rate_limit_settings_or_error =
-      Config::Utility::parseRateLimitSettings(api_config_source);
-  THROW_IF_NOT_OK_REF(rate_limit_settings_or_error.status());
-
-  Config::GrpcMuxContext grpc_mux_context{
-      /*async_client_=*/THROW_OR_RETURN_VALUE(
-          factory_or_error.value()->createUncachedRawAsyncClient(), Grpc::RawAsyncClientPtr),
-      /*failover_async_client_=*/nullptr,
-      /*dispatcher_=*/context.mainThreadDispatcher(),
-      /*service_method_=*/sotwGrpcMethod(type_url),
-      /*local_info_=*/context.localInfo(),
-      /*rate_limit_settings_=*/rate_limit_settings_or_error.value(),
-      /*scope_=*/scope,
-      /*config_validators_=*/std::move(nop_config_validators),
-      /*xds_resources_delegate_=*/absl::nullopt,
-      /*xds_config_tracker_=*/absl::nullopt,
-      /*backoff_strategy_=*/
-      std::make_unique<JitteredExponentialBackOffStrategy>(
-          Config::SubscriptionFactory::RetryInitialDelayMs,
-          Config::SubscriptionFactory::RetryMaxDelayMs, context.api().randomGenerator()),
-      /*target_xds_authority_=*/"",
-      /*eds_resources_cache_=*/nullptr // EDS cache is only used for ADS.
-  };
-
-  std::shared_ptr<Config::GrpcMux> grpc_mux =
-      std::static_pointer_cast<Config::GrpcMux>(std::make_shared<GrpcMuxImpl>(
-          grpc_mux_context, api_config_source.set_node_on_first_message_only()));
-
-  return std::make_unique<Config::GrpcSubscriptionImpl>(
+  std::shared_ptr<Config::GrpcMux> grpc_mux;
+  bool is_aggregated =
+      config_source.config_source_specifier_case() == envoy::config::core::v3::ConfigSource::kAds;
+  if (is_aggregated) {
+    grpc_mux = std::static_pointer_cast<Config::GrpcMux>(context.xdsManager().adsMux());
+  } else {
+    auto& api_config_source = config_source.api_config_source();
+    THROW_IF_NOT_OK(Config::Utility::checkApiConfigSourceSubscriptionBackingCluster(
+        context.clusterManager().primaryClusters(), api_config_source));
+
+    // No-op custom validators
+    Envoy::Config::CustomConfigValidatorsPtr nop_config_validators =
+        std::make_unique<NopConfigValidatorsImpl>();
+    auto factory_or_error = Config::Utility::factoryForGrpcApiConfigSource(
+        context.clusterManager().grpcAsyncClientManager(), api_config_source, scope, true, 0,
+        false);
+    THROW_IF_NOT_OK_REF(factory_or_error.status());
+
+    absl::StatusOr<Config::RateLimitSettings> rate_limit_settings_or_error =
+        Config::Utility::parseRateLimitSettings(api_config_source);
+    THROW_IF_NOT_OK_REF(rate_limit_settings_or_error.status());
+
+    const auto& api_type = api_config_source.api_type();
+    bool use_delta = api_type == envoy::config::core::v3::ApiConfigSource::DELTA_GRPC ||
+                     api_type == envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC;
+    const auto& service_method = use_delta ? deltaGrpcMethod(type_url) : sotwGrpcMethod(type_url);
+
+    Config::GrpcMuxContext grpc_mux_context{
+        THROW_OR_RETURN_VALUE(factory_or_error.value()->createUncachedRawAsyncClient(),
+                              Grpc::RawAsyncClientPtr),
+        /*failover_async_client_=*/nullptr,
+        context.mainThreadDispatcher(),
+        service_method,
+        context.localInfo(),
+        rate_limit_settings_or_error.value(),
+        scope,
+        std::move(nop_config_validators),
+        /*xds_resources_delegate_=*/absl::nullopt,
+        /*xds_config_tracker_=*/absl::nullopt,
+        std::make_unique<JitteredExponentialBackOffStrategy>(
+            Config::SubscriptionFactory::RetryInitialDelayMs,
+            Config::SubscriptionFactory::RetryMaxDelayMs, context.api().randomGenerator()),
+        /*target_xds_authority_=*/"",
+        /*eds_resources_cache_=*/nullptr // EDS cache is only used for ADS.
+    };
+
+    grpc_mux =
+        use_delta ? std::static_pointer_cast<Config::GrpcMux>(
+                        std::make_shared<Config::NewGrpcMuxImpl>(grpc_mux_context))
+                  : std::static_pointer_cast<Config::GrpcMux>(std::make_shared<Config::GrpcMuxImpl>(
+                        grpc_mux_context, api_config_source.set_node_on_first_message_only()));
+  }
+
+  Common::CallbackHandlePtr stream_event_handle;
+  if (on_stream_event) {
+    auto stream_event_callback = std::move(on_stream_event);
+    stream_event_handle = grpc_mux->addStreamEventCallback(stream_event_callback);
+    if (grpc_mux->grpcStreamConnected()) {
+      stream_event_callback(Config::GrpcMuxStreamEvent::Established);
+    }
+  }
+
+  auto subscription = std::make_unique<Config::GrpcSubscriptionImpl>(
       grpc_mux, callbacks, resource_decoder, stats, type_url, context.mainThreadDispatcher(),
-      init_fetch_timeout, /*is_aggregated*/ false, options);
+      initial_fetch_timeout, is_aggregated, options);
+  if (stream_event_handle) {
+    return std::make_unique<StreamEventSubscription>(std::move(subscription),
+                                                     std::move(stream_event_handle));
+  }
+  return subscription;
 }
 
 } // namespace Cilium

cilium/grpc_subscription.h

@@ -1,52 +1,24 @@
 #pragma once
 
-#include <chrono>
 #include <memory>
 
 #include "envoy/config/core/v3/config_source.pb.h"
+#include "envoy/config/grpc_mux.h"
 #include "envoy/config/subscription.h"
-#include "envoy/server/factory_context.h"
+#include "envoy/ssl/context_manager.h"
 #include "envoy/stats/scope.h"
 
-#include "source/extensions/config_subscription/grpc/grpc_mux_context.h"
-#include "source/extensions/config_subscription/grpc/grpc_mux_impl.h"
-
 #include "absl/strings/string_view.h"
 
 namespace Envoy {
 namespace Cilium {
 
-// GrpcMux wrapper to get access to control plane identifier
-class GrpcMuxImpl : public Config::GrpcMuxImpl {
-public:
-  GrpcMuxImpl(Config::GrpcMuxContext& grpc_mux_context, bool skip_subsequent_node)
-      : Config::GrpcMuxImpl(grpc_mux_context, skip_subsequent_node) {}
-
-  ~GrpcMuxImpl() override = default;
-
-  void onStreamEstablished() override {
-    new_stream_ = true;
-    Config::GrpcMuxImpl::onStreamEstablished();
-  }
-
-  // isNewStream returns true for the first call after a new stream has been established
-  bool isNewStream() {
-    bool new_stream = new_stream_;
-    new_stream_ = false;
-    return new_stream;
-  }
-
-private:
-  bool new_stream_ = true;
-};
-
 std::unique_ptr<Config::Subscription>
 subscribe(const absl::string_view type_url,
-          const envoy::config::core::v3::ConfigSource& npds_config,
+          const envoy::config::core::v3::ConfigSource& config_source,
           Server::Configuration::CommonFactoryContext& context, Stats::Scope& scope,
           Config::SubscriptionCallbacks& callbacks,
           Config::OpaqueResourceDecoderSharedPtr resource_decoder,
-          std::chrono::milliseconds init_fetch_timeout = std::chrono::milliseconds(0));
-
+          Config::GrpcMuxStreamEventCallback on_stream_event = {});
 } // namespace Cilium
 } // namespace Envoy