github.com/cilium/cilium@v1.16.2/operator/identitygc/gc.go

github.com/cilium/cilium@v1.16.2/operator/identitygc/gc.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package identitygc
     5  
     6  import (
     7  	"fmt"
     8  	"time"
     9  
    10  	"github.com/cilium/hive/cell"
    11  	"github.com/cilium/workerpool"
    12  	"github.com/sirupsen/logrus"
    13  
    14  	authIdentity "github.com/cilium/cilium/operator/auth/identity"
    15  	"github.com/cilium/cilium/pkg/allocator"
    16  	cmtypes "github.com/cilium/cilium/pkg/clustermesh/types"
    17  	"github.com/cilium/cilium/pkg/controller"
    18  	v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
    19  	"github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2alpha1"
    20  	k8sClient "github.com/cilium/cilium/pkg/k8s/client"
    21  	ciliumV2 "github.com/cilium/cilium/pkg/k8s/client/clientset/versioned/typed/cilium.io/v2"
    22  	"github.com/cilium/cilium/pkg/k8s/resource"
    23  	"github.com/cilium/cilium/pkg/option"
    24  	"github.com/cilium/cilium/pkg/rate"
    25  )
    26  
    27  // params contains all the dependencies for the identity-gc.
    28  // They will be provided through dependency injection.
    29  type params struct {
    30  	cell.In
    31  
    32  	Logger    logrus.FieldLogger
    33  	Lifecycle cell.Lifecycle
    34  
    35  	Clientset           k8sClient.Clientset
    36  	Identity            resource.Resource[*v2.CiliumIdentity]
    37  	CiliumEndpoint      resource.Resource[*v2.CiliumEndpoint]
    38  	CiliumEndpointSlice resource.Resource[*v2alpha1.CiliumEndpointSlice]
    39  	AuthIdentityClient  authIdentity.Provider
    40  
    41  	Cfg         Config
    42  	SharedCfg   SharedConfig
    43  	ClusterInfo cmtypes.ClusterInfo
    44  
    45  	Metrics *Metrics
    46  }
    47  
    48  // GC represents the Cilium identities periodic GC.
    49  type GC struct {
    50  	logger logrus.FieldLogger
    51  
    52  	clientset           ciliumV2.CiliumIdentityInterface
    53  	identity            resource.Resource[*v2.CiliumIdentity]
    54  	ciliumEndpoint      resource.Resource[*v2.CiliumEndpoint]
    55  	ciliumEndpointSlice resource.Resource[*v2alpha1.CiliumEndpointSlice]
    56  	authIdentityClient  authIdentity.Provider
    57  
    58  	clusterInfo    cmtypes.ClusterInfo
    59  	allocationMode string
    60  
    61  	gcInterval       time.Duration
    62  	heartbeatTimeout time.Duration
    63  	gcRateInterval   time.Duration
    64  	gcRateLimit      int64
    65  
    66  	wp             *workerpool.WorkerPool
    67  	heartbeatStore *heartbeatStore
    68  	mgr            *controller.Manager
    69  
    70  	// rateLimiter is meant to rate limit the number of
    71  	// identities being GCed by the operator. See the documentation of
    72  	// rate.Limiter to understand its difference than 'x/time/rate.Limiter'.
    73  	//
    74  	// With our rate.Limiter implementation Cilium will be able to handle bursts
    75  	// of identities being garbage collected with the help of the functionality
    76  	// provided by the 'policy-trigger-interval' in the cilium-agent. With the
    77  	// policy-trigger even if we receive N identity changes over the interval
    78  	// set, Cilium will only need to process all of them at once instead of
    79  	// processing each one individually.
    80  	rateLimiter *rate.Limiter
    81  
    82  	allocator *allocator.Allocator
    83  
    84  	// counters for GC failed/successful runs
    85  	failedRuns     int
    86  	successfulRuns int
    87  	metrics        *Metrics
    88  }
    89  
    90  func registerGC(p params) {
    91  	if !p.Clientset.IsEnabled() || p.SharedCfg.EnableOperatorManageCIDs {
    92  		return
    93  	}
    94  
    95  	gc := &GC{
    96  		logger:              p.Logger,
    97  		clientset:           p.Clientset.CiliumV2().CiliumIdentities(),
    98  		identity:            p.Identity,
    99  		ciliumEndpoint:      p.CiliumEndpoint,
   100  		ciliumEndpointSlice: p.CiliumEndpointSlice,
   101  		authIdentityClient:  p.AuthIdentityClient,
   102  		clusterInfo:         p.ClusterInfo,
   103  		allocationMode:      p.SharedCfg.IdentityAllocationMode,
   104  		gcInterval:          p.Cfg.Interval,
   105  		heartbeatTimeout:    p.Cfg.HeartbeatTimeout,
   106  		gcRateInterval:      p.Cfg.RateInterval,
   107  		gcRateLimit:         p.Cfg.RateLimit,
   108  		heartbeatStore: newHeartbeatStore(
   109  			p.Cfg.HeartbeatTimeout,
   110  		),
   111  		rateLimiter: rate.NewLimiter(
   112  			p.Cfg.RateInterval,
   113  			p.Cfg.RateLimit,
   114  		),
   115  		metrics: p.Metrics,
   116  	}
   117  	p.Lifecycle.Append(cell.Hook{
   118  		OnStart: func(ctx cell.HookContext) error {
   119  			gc.wp = workerpool.New(1)
   120  
   121  			switch gc.allocationMode {
   122  			case option.IdentityAllocationModeCRD:
   123  				return gc.startCRDModeGC(ctx)
   124  			case option.IdentityAllocationModeKVstore:
   125  				return gc.startKVStoreModeGC(ctx)
   126  			default:
   127  				return fmt.Errorf("unknown Cilium identity allocation mode: %q", gc.allocationMode)
   128  			}
   129  		},
   130  		OnStop: func(ctx cell.HookContext) error {
   131  			if gc.allocationMode == option.IdentityAllocationModeCRD {
   132  				// CRD mode GC runs in an additional goroutine
   133  				gc.mgr.RemoveAllAndWait()
   134  			}
   135  			gc.rateLimiter.Stop()
   136  			gc.wp.Close()
   137  
   138  			return nil
   139  		},
   140  	})
   141  }