github.com/cilium/cilium@v1.16.2/operator/auth/watcher.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package auth
     5  
     6  import (
     7  	"context"
     8  
     9  	"github.com/cilium/hive/cell"
    10  	"github.com/cilium/workerpool"
    11  	"github.com/sirupsen/logrus"
    12  
    13  	"github.com/cilium/cilium/operator/auth/identity"
    14  	ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
    15  	"github.com/cilium/cilium/pkg/k8s/resource"
    16  )
    17  
    18  // params contains all the dependencies for the identity-gc.
    19  // They will be provided through dependency injection.
    20  type params struct {
    21  	cell.In
    22  
    23  	Logger         logrus.FieldLogger
    24  	Lifecycle      cell.Lifecycle
    25  	IdentityClient identity.Provider
    26  	Identity       resource.Resource[*ciliumv2.CiliumIdentity]
    27  
    28  	Cfg Config
    29  }
    30  
    31  // IdentityWatcher represents the Cilium identities watcher.
    32  // It watches for Cilium identities and upserts or deletes them in Spire.
    33  type IdentityWatcher struct {
    34  	logger logrus.FieldLogger
    35  
    36  	identityClient identity.Provider
    37  	identity       resource.Resource[*ciliumv2.CiliumIdentity]
    38  	wg             *workerpool.WorkerPool
    39  	cfg            Config
    40  }
    41  
    42  func registerIdentityWatcher(p params) {
    43  	if !p.Cfg.Enabled {
    44  		return
    45  	}
    46  	iw := &IdentityWatcher{
    47  		logger:         p.Logger,
    48  		identityClient: p.IdentityClient,
    49  		identity:       p.Identity,
    50  		wg:             workerpool.New(1),
    51  		cfg:            p.Cfg,
    52  	}
    53  	p.Lifecycle.Append(cell.Hook{
    54  		OnStart: func(ctx cell.HookContext) error {
    55  			return iw.wg.Submit("identity-watcher", func(ctx context.Context) error {
    56  				return iw.run(ctx)
    57  			})
    58  		},
    59  		OnStop: func(_ cell.HookContext) error {
    60  			return iw.wg.Close()
    61  		},
    62  	})
    63  }
    64  
    65  func (iw *IdentityWatcher) run(ctx context.Context) error {
    66  	for e := range iw.identity.Events(ctx) {
    67  		var err error
    68  		switch e.Kind {
    69  		case resource.Upsert:
    70  			err = iw.identityClient.Upsert(ctx, e.Object.GetName())
    71  			iw.logger.WithError(err).WithField("identity", e.Object.GetName()).Info("Upsert identity")
    72  		case resource.Delete:
    73  			err = iw.identityClient.Delete(ctx, e.Object.GetName())
    74  			iw.logger.WithError(err).WithField("identity", e.Object.GetName()).Info("Delete identity")
    75  		}
    76  		e.Done(err)
    77  	}
    78  	return nil
    79  }