policy: detect new streams for delta and file-based substriptions

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>

Author: jrajahalme

WORKSPACE

@@ -43,6 +43,7 @@ git_repository(
         "@//patches:0004-thread_local-reset-slot-in-worker-threads-first.patch",
         "@//patches:0005-http-header-expose-attribute.patch",
         "@//patches:0006-test-integration-Defer-fake-upstream-read-enable-un.patch",
+        "@//patches:0007-config-add-grpc-mux-stream-event-callback.patch",
     ],
     # // clang-format off: Envoy's format check: Only repository_locations.bzl may contains URL references
     remote = "https://github.com/envoyproxy/envoy.git",

cilium/grpc_subscription.cc

@@ -2,13 +2,14 @@
 
 #include <fmt/format.h>
 
-#include <chrono>
+#include <functional>
 #include <memory>
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "envoy/annotations/resource.pb.h"
+#include "envoy/common/callback.h"
 #include "envoy/common/exception.h"
 #include "envoy/config/core/v3/config_source.pb.h"
 #include "envoy/config/custom_config_validators.h"
@@ -26,9 +27,12 @@
 #include "source/common/grpc/common.h"
 #include "source/common/protobuf/protobuf.h" // IWYU pragma: keep
 #include "source/extensions/config_subscription/grpc/grpc_mux_context.h"
+#include "source/extensions/config_subscription/grpc/grpc_mux_impl.h"
 #include "source/extensions/config_subscription/grpc/grpc_subscription_impl.h"
+#include "source/extensions/config_subscription/grpc/new_grpc_mux_impl.h"
 
 #include "absl/container/flat_hash_map.h"
+#include "absl/container/flat_hash_set.h"
 #include "absl/status/statusor.h"
 #include "absl/strings/match.h"
 #include "absl/strings/string_view.h"
@@ -39,6 +43,31 @@ namespace Cilium {
 
 namespace {
 
+class StreamEventSubscription : public Config::Subscription {
+public:
+  StreamEventSubscription(std::unique_ptr<Config::Subscription> subscription,
+                          Common::CallbackHandlePtr stream_event_handle)
+      : subscription_(std::move(subscription)),
+        stream_event_handle_(std::move(stream_event_handle)) {}
+
+  void start(const absl::flat_hash_set<std::string>& resource_names) override {
+    subscription_->start(resource_names);
+  }
+
+  void
+  updateResourceInterest(const absl::flat_hash_set<std::string>& update_to_these_names) override {
+    subscription_->updateResourceInterest(update_to_these_names);
+  }
+
+  void requestOnDemandUpdate(const absl::flat_hash_set<std::string>& add_these_names) override {
+    subscription_->requestOnDemandUpdate(add_these_names);
+  }
+
+private:
+  std::unique_ptr<Config::Subscription> subscription_;
+  Common::CallbackHandlePtr stream_event_handle_;
+};
+
 // service RPC method fully qualified names.
 struct Service {
   std::string sotw_grpc_method_;
@@ -58,6 +87,7 @@ TypeUrlToServiceMap* buildTypeUrlToServiceMap() {
   // https://www.mail-archive.com/protobuf@googlegroups.com/msg04540.html.
   for (absl::string_view name : {
            "cilium.NetworkPolicyDiscoveryService",
+           //"cilium.NetworkPolicyResourceDiscoveryService",
            "cilium.NetworkPolicyHostsDiscoveryService",
        }) {
     const auto* service_desc =
@@ -121,56 +151,85 @@ const Protobuf::MethodDescriptor& sotwGrpcMethod(absl::string_view type_url) {
 
 std::unique_ptr<Config::Subscription>
 subscribe(const absl::string_view type_url,
-          const envoy::config::core::v3::ConfigSource& npds_config,
+          const envoy::config::core::v3::ConfigSource& config_source,
           Server::Configuration::CommonFactoryContext& context, Stats::Scope& scope,
           Config::SubscriptionCallbacks& callbacks,
           Config::OpaqueResourceDecoderSharedPtr resource_decoder,
-          std::chrono::milliseconds init_fetch_timeout) {
-  auto& api_config_source = npds_config.api_config_source();
-  THROW_IF_NOT_OK(Config::Utility::checkApiConfigSourceSubscriptionBackingCluster(
-      context.clusterManager().primaryClusters(), api_config_source));
-
+          Config::GrpcMuxStreamEventCallback on_stream_event) {
+  auto initial_fetch_timeout = Config::Utility::configSourceInitialFetchTimeout(config_source);
   Config::SubscriptionStats stats = Config::Utility::generateStats(scope);
   Envoy::Config::SubscriptionOptions options;
 
-  // No-op custom validators
-  Envoy::Config::CustomConfigValidatorsPtr nop_config_validators =
-      std::make_unique<NopConfigValidatorsImpl>();
-  auto factory_or_error = Config::Utility::factoryForGrpcApiConfigSource(
-      context.clusterManager().grpcAsyncClientManager(), api_config_source, scope, true, 0, false);
-  THROW_IF_NOT_OK_REF(factory_or_error.status());
-
-  absl::StatusOr<Config::RateLimitSettings> rate_limit_settings_or_error =
-      Config::Utility::parseRateLimitSettings(api_config_source);
-  THROW_IF_NOT_OK_REF(rate_limit_settings_or_error.status());
-
-  Config::GrpcMuxContext grpc_mux_context{
-      /*async_client_=*/THROW_OR_RETURN_VALUE(
-          factory_or_error.value()->createUncachedRawAsyncClient(), Grpc::RawAsyncClientPtr),
-      /*failover_async_client_=*/nullptr,
-      /*dispatcher_=*/context.mainThreadDispatcher(),
-      /*service_method_=*/sotwGrpcMethod(type_url),
-      /*local_info_=*/context.localInfo(),
-      /*rate_limit_settings_=*/rate_limit_settings_or_error.value(),
-      /*scope_=*/scope,
-      /*config_validators_=*/std::move(nop_config_validators),
-      /*xds_resources_delegate_=*/absl::nullopt,
-      /*xds_config_tracker_=*/absl::nullopt,
-      /*backoff_strategy_=*/
-      std::make_unique<JitteredExponentialBackOffStrategy>(
-          Config::SubscriptionFactory::RetryInitialDelayMs,
-          Config::SubscriptionFactory::RetryMaxDelayMs, context.api().randomGenerator()),
-      /*target_xds_authority_=*/"",
-      /*eds_resources_cache_=*/nullptr // EDS cache is only used for ADS.
-  };
-
-  std::shared_ptr<Config::GrpcMux> grpc_mux =
-      std::static_pointer_cast<Config::GrpcMux>(std::make_shared<GrpcMuxImpl>(
-          grpc_mux_context, api_config_source.set_node_on_first_message_only()));
-
-  return std::make_unique<Config::GrpcSubscriptionImpl>(
+  std::shared_ptr<Config::GrpcMux> grpc_mux;
+  bool is_aggregated =
+      config_source.config_source_specifier_case() == envoy::config::core::v3::ConfigSource::kAds;
+  if (is_aggregated) {
+    grpc_mux = std::static_pointer_cast<Config::GrpcMux>(context.xdsManager().adsMux());
+  } else {
+    auto& api_config_source = config_source.api_config_source();
+    THROW_IF_NOT_OK(Config::Utility::checkApiConfigSourceSubscriptionBackingCluster(
+        context.clusterManager().primaryClusters(), api_config_source));
+
+    // No-op custom validators
+    Envoy::Config::CustomConfigValidatorsPtr nop_config_validators =
+        std::make_unique<NopConfigValidatorsImpl>();
+    auto factory_or_error = Config::Utility::factoryForGrpcApiConfigSource(
+        context.clusterManager().grpcAsyncClientManager(), api_config_source, scope, true, 0,
+        false);
+    THROW_IF_NOT_OK_REF(factory_or_error.status());
+
+    absl::StatusOr<Config::RateLimitSettings> rate_limit_settings_or_error =
+        Config::Utility::parseRateLimitSettings(api_config_source);
+    THROW_IF_NOT_OK_REF(rate_limit_settings_or_error.status());
+
+    const auto& api_type = api_config_source.api_type();
+    bool use_delta = api_type == envoy::config::core::v3::ApiConfigSource::DELTA_GRPC ||
+                     api_type == envoy::config::core::v3::ApiConfigSource::AGGREGATED_DELTA_GRPC;
+    const auto& service_method = use_delta ? deltaGrpcMethod(type_url) : sotwGrpcMethod(type_url);
+
+    Config::GrpcMuxContext grpc_mux_context{
+        THROW_OR_RETURN_VALUE(factory_or_error.value()->createUncachedRawAsyncClient(),
+                              Grpc::RawAsyncClientPtr),
+        /*failover_async_client_=*/nullptr,
+        context.mainThreadDispatcher(),
+        service_method,
+        context.localInfo(),
+        rate_limit_settings_or_error.value(),
+        scope,
+        std::move(nop_config_validators),
+        /*xds_resources_delegate_=*/absl::nullopt,
+        /*xds_config_tracker_=*/absl::nullopt,
+        std::make_unique<JitteredExponentialBackOffStrategy>(
+            Config::SubscriptionFactory::RetryInitialDelayMs,
+            Config::SubscriptionFactory::RetryMaxDelayMs, context.api().randomGenerator()),
+        /*target_xds_authority_=*/"",
+        /*eds_resources_cache_=*/nullptr // EDS cache is only used for ADS.
+    };
+
+    grpc_mux =
+        use_delta ? std::static_pointer_cast<Config::GrpcMux>(
+                        std::make_shared<Config::NewGrpcMuxImpl>(grpc_mux_context))
+                  : std::static_pointer_cast<Config::GrpcMux>(std::make_shared<Config::GrpcMuxImpl>(
+                        grpc_mux_context, api_config_source.set_node_on_first_message_only()));
+  }
+
+  Common::CallbackHandlePtr stream_event_handle;
+  if (on_stream_event) {
+    auto stream_event_callback = std::move(on_stream_event);
+    stream_event_handle = grpc_mux->addStreamEventCallback(stream_event_callback);
+    if (grpc_mux->grpcStreamConnected()) {
+      stream_event_callback(Config::GrpcMuxStreamEvent::Established);
+    }
+  }
+
+  auto subscription = std::make_unique<Config::GrpcSubscriptionImpl>(
       grpc_mux, callbacks, resource_decoder, stats, type_url, context.mainThreadDispatcher(),
-      init_fetch_timeout, /*is_aggregated*/ false, options);
+      initial_fetch_timeout, is_aggregated, options);
+  if (stream_event_handle) {
+    return std::make_unique<StreamEventSubscription>(std::move(subscription),
+                                                     std::move(stream_event_handle));
+  }
+  return subscription;
 }
 
 } // namespace Cilium

cilium/grpc_subscription.h

@@ -1,52 +1,24 @@
 #pragma once
 
-#include <chrono>
 #include <memory>
 
 #include "envoy/config/core/v3/config_source.pb.h"
+#include "envoy/config/grpc_mux.h"
 #include "envoy/config/subscription.h"
-#include "envoy/server/factory_context.h"
+#include "envoy/ssl/context_manager.h"
 #include "envoy/stats/scope.h"
 
-#include "source/extensions/config_subscription/grpc/grpc_mux_context.h"
-#include "source/extensions/config_subscription/grpc/grpc_mux_impl.h"
-
 #include "absl/strings/string_view.h"
 
 namespace Envoy {
 namespace Cilium {
 
-// GrpcMux wrapper to get access to control plane identifier
-class GrpcMuxImpl : public Config::GrpcMuxImpl {
-public:
-  GrpcMuxImpl(Config::GrpcMuxContext& grpc_mux_context, bool skip_subsequent_node)
-      : Config::GrpcMuxImpl(grpc_mux_context, skip_subsequent_node) {}
-
-  ~GrpcMuxImpl() override = default;
-
-  void onStreamEstablished() override {
-    new_stream_ = true;
-    Config::GrpcMuxImpl::onStreamEstablished();
-  }
-
-  // isNewStream returns true for the first call after a new stream has been established
-  bool isNewStream() {
-    bool new_stream = new_stream_;
-    new_stream_ = false;
-    return new_stream;
-  }
-
-private:
-  bool new_stream_ = true;
-};
-
 std::unique_ptr<Config::Subscription>
 subscribe(const absl::string_view type_url,
-          const envoy::config::core::v3::ConfigSource& npds_config,
+          const envoy::config::core::v3::ConfigSource& config_source,
           Server::Configuration::CommonFactoryContext& context, Stats::Scope& scope,
           Config::SubscriptionCallbacks& callbacks,
           Config::OpaqueResourceDecoderSharedPtr resource_decoder,
-          std::chrono::milliseconds init_fetch_timeout = std::chrono::milliseconds(0));
-
+          Config::GrpcMuxStreamEventCallback on_stream_event = {});
 } // namespace Cilium
 } // namespace Envoy