policy: Switch to delta mode when possible

Switch to delta mode more eagerly when we have evidence that the agent is
capable, but switch to SotW mode only when xDS stream transport had
failed to connect or closes.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>

Author: jrajahalme

cilium/network_policy.cc

@@ -253,8 +253,8 @@ class ResourceMapOverlay {
     }
     const auto* selector_entry = entry->selectorResourceEntry();
     if (selector_entry == nullptr || selector_entry->handle == nullptr) {
-      throw EnvoyException(
-          fmt::format("NetworkPolicyResource rule references non-selector resource '{}'", selector));
+      throw EnvoyException(fmt::format(
+          "NetworkPolicyResource rule references non-selector resource '{}'", selector));
     }
     return selector_entry->handle;
   }
@@ -407,7 +407,7 @@ class NetworkPolicyMapImpl : public Envoy::Config::SubscriptionCallbacks,
     if (!subscription_connected_ && subscription_ != nullptr) {
       subscription_connected_ = grpcStreamConnected(subscription_.get());
     }
-    maybeRecreateSubscriptionInDesiredMode();
+    maybeRecreateSubscriptionInDesiredMode(/*transport_closed=*/false);
   }
 
 protected:
@@ -450,27 +450,57 @@ class NetworkPolicyMapImpl : public Envoy::Config::SubscriptionCallbacks,
   }
 
   void onSubscriptionTransportEstablished(uint64_t subscription_id) {
-    ++subscription_stream_generation_;
-
+    // skip stale notifications for earlier subscriptions
     if (subscription_id != subscription_id_) {
       return;
     }
+    ++subscription_stream_generation_;
+
     subscription_connected_ = true;
   }
 
   void onSubscriptionTransportClosed(uint64_t subscription_id) {
+    // skip stale notifications for earlier subscriptions
     if (subscription_id != subscription_id_) {
       return;
     }
     subscription_connected_ = false;
-    maybeRecreateSubscriptionInDesiredMode();
-  }
 
-  void maybeRecreateSubscriptionInDesiredMode() {
-    if (subscription_ == nullptr || subscription_connected_ ||
-        desired_use_delta_xds_ == subscription_use_delta_xds_) {
+    // Test code executes synchronously
+    if (subscription_factory_for_test_) {
+      maybeRecreateSubscriptionInDesiredMode(/*transport_closed=*/true);
       return;
     }
+
+    // The close callback runs on the subscription object's own stack, so defer any possible
+    // recreation until after it unwinds to avoid destroying the current subscription mid-callback.
+    context_.mainThreadDispatcher().post(
+        [weak_this = weak_from_this(), subscription_id = subscription_id_]() {
+          if (auto shared_this = weak_this.lock()) {
+            // skip stale callbacks for earlier subscriptions
+            if (subscription_id != shared_this->subscription_id_) {
+              return;
+            }
+            shared_this->maybeRecreateSubscriptionInDesiredMode(/*transport_closed=*/true);
+          }
+        });
+  }
+
+  void maybeRecreateSubscriptionInDesiredMode(bool transport_closed) {
+    // only ever skip subscribe if we have a subscription already, and it is already connected in
+    // delta or desired mode, or still connecting in desired mode.
+    if (subscription_ && (subscription_connected_ || !transport_closed)) {
+      if (subscription_connected_ && subscription_use_delta_xds_) {
+        // Keep delta on a connected subscription until transport closes.
+        return;
+      }
+      if (subscription_use_delta_xds_ == desired_use_delta_xds_) {
+        // Let the current subscription keep going when it is already in the desired mode.
+        return;
+      }
+    }
+
+    // Recreate the subscription in the latest desired mode.
     subscribe();
   }
 
@@ -2618,10 +2648,9 @@ absl::Status NetworkPolicyMapImpl::onConfigUpdate(
         ENVOY_LOG(trace, "Cilium removing NetworkPolicyResource selector {}", resource);
         const auto* resource_entry = pending_resource_map.findEntry(resource);
         if (resource_entry == nullptr) {
-          ENVOY_LOG(
-              debug,
-              "NetworkPolicyResource removed selector name '{}' not found from resource map",
-              resource);
+          ENVOY_LOG(debug,
+                    "NetworkPolicyResource removed selector name '{}' not found from resource map",
+                    resource);
           continue;
         }
         if (resource_entry->isPolicyEndpointIpEntry()) {

tests/cilium_network_policy_test.cc

@@ -348,7 +348,7 @@ TEST_F(CiliumNetworkPolicyDeltaTest, ManagedSubscriptionColdStartUsesConfiguredD
   EXPECT_THAT(state->start_resources_.front(), testing::ElementsAre(std::string("*")));
 }
 
-TEST_F(CiliumNetworkPolicyTest, FlagFlipOnHealthySubscriptionWaitsForTransportClose) {
+TEST_F(CiliumNetworkPolicyTest, FlagFlipFromSotwToDeltaOnHealthySubscriptionRecreatesImmediately) {
   auto state = std::make_shared<FakeSubscriptionState>();
   std::vector<bool> created_modes;
   setSubscriptionFactoryForTest(
@@ -364,18 +364,57 @@ TEST_F(CiliumNetworkPolicyTest, FlagFlipOnHealthySubscriptionWaitsForTransportCl
   setUseDeltaXds(true);
 
   EXPECT_TRUE(configuredUseDeltaXds());
-  EXPECT_FALSE(subscriptionUseDeltaXdsForTest());
-  EXPECT_TRUE(subscriptionConnectedForTest());
-  EXPECT_THAT(created_modes, testing::ElementsAre(false));
-  EXPECT_EQ(state->start_calls_, 1);
+  EXPECT_TRUE(subscriptionUseDeltaXdsForTest());
+  EXPECT_FALSE(subscriptionConnectedForTest());
+  EXPECT_THAT(created_modes, testing::ElementsAre(false, true));
+  EXPECT_EQ(state->start_calls_, 2);
+  EXPECT_THAT(state->start_resources_.back(), testing::ElementsAre(std::string("*")));
+}
 
-  onSubscriptionTransportCloseForTest();
+TEST_F(CiliumNetworkPolicyTest, FlagFlipFromDeltaToSotwOnHealthySubscriptionWaitsForClose) {
+  auto state = std::make_shared<FakeSubscriptionState>();
+  std::vector<bool> created_modes;
+  setSubscriptionFactoryForTest(
+      [state, &created_modes](bool use_delta_xds) -> std::unique_ptr<Envoy::Config::Subscription> {
+        created_modes.push_back(use_delta_xds);
+        return std::make_unique<FakeSubscription>(state);
+      });
 
-  EXPECT_FALSE(subscriptionConnectedForTest());
+  startManagedSubscriptionForTest();
+  onSubscriptionConnectedForTest();
+  ASSERT_TRUE(subscriptionConnectedForTest());
+  ASSERT_FALSE(subscriptionUseDeltaXdsForTest());
+
+  setUseDeltaXds(true);
+
+  EXPECT_TRUE(configuredUseDeltaXds());
   EXPECT_TRUE(subscriptionUseDeltaXdsForTest());
+  EXPECT_FALSE(subscriptionConnectedForTest());
   EXPECT_THAT(created_modes, testing::ElementsAre(false, true));
   EXPECT_EQ(state->start_calls_, 2);
   EXPECT_THAT(state->start_resources_.back(), testing::ElementsAre(std::string("*")));
+
+  onSubscriptionConnectedForTest();
+  ASSERT_TRUE(subscriptionConnectedForTest());
+  ASSERT_TRUE(subscriptionUseDeltaXdsForTest());
+
+  setUseDeltaXds(false);
+
+  EXPECT_FALSE(configuredUseDeltaXds());
+  EXPECT_TRUE(subscriptionUseDeltaXdsForTest());
+  EXPECT_TRUE(subscriptionConnectedForTest());
+  // Once we have an established delta subscription, keep it until transport close even if the
+  // configured desired mode flips back to SotW.
+  EXPECT_THAT(created_modes, testing::ElementsAre(false, true));
+  EXPECT_EQ(state->start_calls_, 2);
+
+  onSubscriptionTransportCloseForTest();
+
+  EXPECT_FALSE(subscriptionConnectedForTest());
+  EXPECT_FALSE(subscriptionUseDeltaXdsForTest());
+  EXPECT_THAT(created_modes, testing::ElementsAre(false, true, false));
+  EXPECT_EQ(state->start_calls_, 3);
+  EXPECT_TRUE(state->start_resources_.back().empty());
 }
 
 TEST_F(CiliumNetworkPolicyTest, FlagFlipWhileDisconnectedRecreatesImmediately) {
@@ -400,7 +439,66 @@ TEST_F(CiliumNetworkPolicyTest, FlagFlipWhileDisconnectedRecreatesImmediately) {
   EXPECT_THAT(state->start_resources_.back(), testing::ElementsAre(std::string("*")));
 }
 
-TEST_F(CiliumNetworkPolicyTest, TransportCloseWithoutFlagFlipKeepsCurrentMode) {
+TEST_F(CiliumNetworkPolicyDeltaTest, FlagFlipFromDisconnectedDeltaToSotwRecreatesImmediately) {
+  auto state = std::make_shared<FakeSubscriptionState>();
+  std::vector<bool> created_modes;
+  setSubscriptionFactoryForTest(
+      [state, &created_modes](bool use_delta_xds) -> std::unique_ptr<Envoy::Config::Subscription> {
+        created_modes.push_back(use_delta_xds);
+        return std::make_unique<FakeSubscription>(state);
+      });
+
+  startManagedSubscriptionForTest();
+  ASSERT_FALSE(subscriptionConnectedForTest());
+  ASSERT_TRUE(subscriptionUseDeltaXdsForTest());
+
+  setUseDeltaXds(false);
+
+  EXPECT_FALSE(configuredUseDeltaXds());
+  EXPECT_FALSE(subscriptionUseDeltaXdsForTest());
+  EXPECT_FALSE(subscriptionConnectedForTest());
+  EXPECT_THAT(created_modes, testing::ElementsAre(true, false));
+  EXPECT_EQ(state->start_calls_, 2);
+  EXPECT_TRUE(state->start_resources_.back().empty());
+}
+
+TEST_F(CiliumNetworkPolicyDeltaTest, DowngradeFromConnectedDeltaRecreatesDisconnectedRetryToSotw) {
+  auto state = std::make_shared<FakeSubscriptionState>();
+  std::vector<bool> created_modes;
+  setSubscriptionFactoryForTest(
+      [state, &created_modes](bool use_delta_xds) -> std::unique_ptr<Envoy::Config::Subscription> {
+        created_modes.push_back(use_delta_xds);
+        return std::make_unique<FakeSubscription>(state);
+      });
+
+  startManagedSubscriptionForTest();
+  onSubscriptionConnectedForTest();
+  ASSERT_TRUE(subscriptionConnectedForTest());
+  ASSERT_TRUE(subscriptionUseDeltaXdsForTest());
+
+  // Agent restart/downgrade drops the established delta transport. While the desired mode is still
+  // delta we recreate immediately and begin retrying delta.
+  onSubscriptionTransportCloseForTest();
+
+  ASSERT_FALSE(subscriptionConnectedForTest());
+  ASSERT_TRUE(subscriptionUseDeltaXdsForTest());
+  ASSERT_EQ(state->start_calls_, 2);
+  EXPECT_THAT(created_modes, testing::ElementsAre(true, true));
+  EXPECT_THAT(state->start_resources_.back(), testing::ElementsAre(std::string("*")));
+
+  // When listener metadata later reveals the downgraded agent no longer supports delta, flip to
+  // SotW immediately rather than letting the disconnected delta retry loop forever.
+  setUseDeltaXds(false);
+
+  EXPECT_FALSE(configuredUseDeltaXds());
+  EXPECT_FALSE(subscriptionConnectedForTest());
+  EXPECT_FALSE(subscriptionUseDeltaXdsForTest());
+  EXPECT_THAT(created_modes, testing::ElementsAre(true, true, false));
+  EXPECT_EQ(state->start_calls_, 3);
+  EXPECT_TRUE(state->start_resources_.back().empty());
+}
+
+TEST_F(CiliumNetworkPolicyTest, TransportCloseWithoutFlagFlipRecreatesInCurrentMode) {
   auto state = std::make_shared<FakeSubscriptionState>();
   std::vector<bool> created_modes;
   setSubscriptionFactoryForTest(
@@ -416,8 +514,9 @@ TEST_F(CiliumNetworkPolicyTest, TransportCloseWithoutFlagFlipKeepsCurrentMode) {
 
   EXPECT_FALSE(subscriptionConnectedForTest());
   EXPECT_FALSE(subscriptionUseDeltaXdsForTest());
-  EXPECT_THAT(created_modes, testing::ElementsAre(false));
-  EXPECT_EQ(state->start_calls_, 1);
+  EXPECT_THAT(created_modes, testing::ElementsAre(false, false));
+  EXPECT_EQ(state->start_calls_, 2);
+  EXPECT_TRUE(state->start_resources_.back().empty());
 }
 
 TEST_F(CiliumNetworkPolicyTest, EmptyPolicyUpdate) {