New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth Map: Initial Garbage Collection #25754
Auth Map: Initial Garbage Collection #25754
Conversation
32dfd62
to
2f76b23
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good :-)
You may need to tap into func (d *Daemon) UpdateIdentities(added, deleted cache.IdentityCache)
to get identity deletes regardless of identity allocation mode.
2f76b23
to
f78a41b
Compare
rebased to |
f78a41b
to
3141d05
Compare
@jrajahalme thanks for your review! as mentioned offline - i think it's ok to start by supporting CRD backed only because the expired entries will be deleted eventually by the timer based GC anyway. an abstraction which should remove this need to handle both cases on the usage side is in discussion anyway AFAIK |
3141d05
to
4665a65
Compare
Added additional GC unit tests (delete entries where identity & nodes no longer exist at startup (via event type upsert & sync)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
authMapCache.All()
is still returning the internal map to be used with the internal lock released. This function does not seem to be used however, so maybe split the interface requiring All()
to be implemented into two, one with it and one without? Or make it to return a copy of the map instead?
@jrajahalme 🙈 fixed by returning a copy of the map in |
bcced2f
to
6ca88ee
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! Just the one thing
6ca88ee
to
a32ac2c
Compare
a32ac2c
to
695daa0
Compare
rebased to |
/test |
695daa0
to
3f3c2cf
Compare
/test |
|
3f3c2cf
to
9e423f4
Compare
fixed optimizations recommended by @joamaki - thanks! |
Currently, only the local CiliumNode is available in the shared resources. This commit introduces the possibility to watch all CiliumNodes and CiliumIdentities within the auth cell by providing them privately for the cell only. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit introduces garbage collection for the auth map based on the following events: * deleted node: all auth map entries which belong to the deleted node will be deleted * deleted identity: all auth map entries which belong to the deleted identity will be deleted * timer (configurable - defaults to every 15m): expired auth map entries will be deleted Garbage Collection based on deleted Cilium Identities is currently only supported if Cilium Identities are backed by the CRD storage. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit lets authmapCache.All() returning a copy of the map of cached entries instead of the map instead. This is necessary to prevent issues when using the map without acquiring the lock. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
9e423f4
to
a9aab40
Compare
rebased to (edit: It seems that #25826 resolved the issue, the test is passing on my PRs after rebasing) |
/test |
pending check -> marking this as |
This PR introduces garbage collection for the auth map based on the following events:
The implementation uses the hive job framework.
Known Limitations:
Fixes: #25213