-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move NodeManager over to asynchronous IPCache API #20117
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
fd71399
to
536453b
Compare
db20329
to
f3c2051
Compare
This comment was marked as outdated.
This comment was marked as outdated.
44af332
to
f59a16b
Compare
f59a16b
to
bac510a
Compare
This comment was marked as outdated.
This comment was marked as outdated.
bac510a
to
4043238
Compare
f3c2051
to
f0e3fa0
Compare
This comment was marked as outdated.
This comment was marked as outdated.
f0e3fa0
to
af19883
Compare
4043238
to
d4661c1
Compare
d4661c1
to
42577f6
Compare
af19883
to
dde1f9a
Compare
3d357c9
to
801e9a8
Compare
d15ac32
to
77451b7
Compare
c8ab347
to
179d2e8
Compare
9e20297
to
71d8518
Compare
This comment was marked as outdated.
This comment was marked as outdated.
179d2e8
to
3d191bc
Compare
71d8518
to
2f1a2dc
Compare
Commit 2f1a2dc does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
This is already a little hairy. A few notes: * NodeManager expects to complete the IPCache push to then trigger updates to datapath routes, encrypt state, etc.; New interface doesn't provide this guarantee. * There's a bit of weirdness in how IPCache just accepts random numeric identities as input, meaning that another node could tell us what its identity is but we don't yet know what that identity means(!). How should we handle this? Seems like something we could route through the ipcache to defer until we understand what it means & resolve policy etc.... * Should 'hostIP' for a (pod / node) ipcache entry be part of 'aux'? * We could probably fold Identity source info with encryptKey/tunnel key / etc. when generating ipcache entries. Would require making identity ipcache updates async though. But maybe that's where we should go anyway. Signed-off-by: Joe Stringer <joe@cilium.io>
2f1a2dc
to
d7301e0
Compare
This pull request has been automatically marked as stale because it |
This pull request has been automatically marked as stale because it |
This pull request has been automatically marked as stale because it |
This pull request has been automatically marked as stale because it |
Superseeded by #23208 |
Meta: #21142
Depends on #19765
A few WIP notes:
updates to datapath routes, encrypt state, etc.; New interface doesn't
provide this guarantee.
identities as input, meaning that another node could tell us what its
identity is but we don't yet know what that identity means(!). How
should we handle this? Seems like something we could route through the
ipcache to defer until we understand what it means & resolve policy
etc....
/ etc. when generating ipcache entries. Would require making identity
ipcache updates async though. But maybe that's where we should go
anyway.