Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

operator/ciliumidentity: Operator Managing CIDs #33204

Draft
wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

operator/ciliumidentity: Operator Managing CIDs #33204

wants to merge 17 commits into from

Conversation

ovidiutirla
Copy link
Contributor

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Fixes: #issue-number

<!-- Enter the release note text here if needed or remove this section! -->

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 17, 2024
@github-actions github-actions bot added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Jun 17, 2024
@ovidiutirla ovidiutirla force-pushed the feature/op-id-cid-controller branch 3 times, most recently from 3f3012d to 79deba6 Compare June 18, 2024 21:50
@ovidiutirla ovidiutirla force-pushed the feature/op-id-cid-controller branch 2 times, most recently from 4e1ef07 to 001fd4d Compare June 25, 2024 12:16
This was referenced Jun 25, 2024
Open
Merged
Merged
Draft
Merged
Merged
@ovidiutirla
pkg/identity: Add basic identity allocator
2c9d275 
Basic identity allocator will be used by operator to manage global identities CID and agent to manage locally created identities that do not require complex features like `pkg/allocator/allocator.go`.

Related: cilium#30356

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/logging: Add CIDName to log fields
0498e5a 
The field will be used mainly by operator managing CIDs.
Related cilium#27752

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
operator/ciliumidentity: Add CID time trackers
40228dc 
Add EnqueueTimeTracker and CIDDeletionTracker structures
to manage enqueuing times and track CID deletion marks.
Related cilium#27752

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/k8s: Add indexer for CiliumIdentity objects based on security labels
7deaf53 
Add indexer for CiliumIdentity objects based on security labels
to enable efficient lookup of existing CIDs for reuse during allocation
when Cilium Operator manages Cilium Identities.
Related cilium#27752

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/watchers: Add helper func to check CE store for CID using index
2c8575f 
Add helper function HasCEWithIdentity to check if CiliumEndpoint store contains an endpoint with a given identity.

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
operator/k8s: Add Namespace resource to operator resources cell
6a83a32 
The Namespace resource will be used by Operator Managing CIDs to fetch
relevant labels to create CIDs.
Related cilium#27752

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/k8s: Index Pod resources by namespace
cc91bee 
The Pod resource will be used by Operator Manaing CIDs to reconcile all
the pods in a namespace when the namespace labels are added or removed.

Related cilium#27752

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
operator/identitygc: Disable identitygc when Operator manages CID
18549c1 
EnableOperatorManageCIDs enables operator to manage CID by running a CID controller.
If enabled, Identity GC cell is then disabled because CID controller takes care of garbage collection.

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/ciliumidentity: Add Cilium Identity Controller Operator hive cell
68ce191 
Add the CID cell for operator with a standard empty controller

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/ciliumidentity: Add Cilium Identity Controller Operator reconciler
93f4995 
Add the reconciler logic for reconciling CIDs, Pods, Namespaces.

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/ciliumidentity: Add CID OP Pod listener
93c5238 
Add the pod event listener and handler to enqueue pod reconciliation

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/ciliumidentity: Add CID OP namespace listener
fbbe84a 
Add the namespace event listener and handler to reconcile namespace

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/ciliumidentity: Add CID OP CID listener
de66b81 
Add the CID event listener and handler to reconcile CID

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/ciliumidentity: Add CID OP CES listener
7251ab3 
Add the CES event listener and handler to reconcile CID

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/ciliumidentity: Add CID OP controller
a9e3334 
Add the controller for handling the Operator managing CIDs.
The Cilium Identity (CID) controller running in cilium-operator and is responsible only for managing CID API objects.
* Pod events are added to Pod work queue
* Namespace events are processed immediately and added to Pod work queue
* CID events are added to CID work queue
* Processing Pod work queue items are adding items to CID work queue
* Processed CID work queue items result in mutations to CID API objects

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/ciliumidentity: Add CID OP metrics
eea9dcb 
Add metrics for the Operator managing CIDs.
Add cid_controller_work_queue_event_count which counts processed events by CID controller work queues labeled by outcome
Add cid_controller_work_queue_latency which meters the duration of CID controller work queues enqueuing and processing latencies in seconds

Signed-off-by: Ovidiu Tirla <otirla@google.com>
@ovidiutirla
pkg/ciliumidentity: Initialize labels filter
05e0ebe 
Initialize the labels filter to limit identity-relevant labels

Signed-off-by: Ovidiu Tirla <otirla@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@ovidiutirla