github.com/cilium/cilium@v1.16.2/pkg/policy/directory/cell.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package directory
     5  
     6  import (
     7  	"context"
     8  
     9  	"github.com/cilium/hive/cell"
    10  	"github.com/sirupsen/logrus"
    11  	"github.com/spf13/pflag"
    12  
    13  	cilium_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
    14  	"github.com/cilium/cilium/pkg/labels"
    15  	"github.com/cilium/cilium/pkg/policy"
    16  	"github.com/cilium/cilium/pkg/policy/api"
    17  )
    18  
    19  // Cell provides the Directory policy watcher. The Directory policy watcher watches
    20  // CiliumNetworkPolicy, CiliumClusterWideNetworkPolicy created/deleted under a directory
    21  // specified through cilium config. It reads and translates them to Cilium's own
    22  // policy representation (api.Rules) and updates the policy repository
    23  // (via PolicyManager) accordingly.
    24  var Cell = cell.Module(
    25  	"policy-directory-watcher",
    26  	"Watches Directory for cilium network policy file updates",
    27  	cell.Config(defaultConfig),
    28  	cell.Provide(newDirectoryPolicyResourcesWatcher,
    29  		func() DirectoryWatcherReadStatus {
    30  			return make(DirectoryWatcherReadStatus)
    31  		}),
    32  )
    33  
    34  type PolicyManager interface {
    35  	PolicyAdd(rules api.Rules, opts *policy.AddOptions) (newRev uint64, err error)
    36  	PolicyDelete(labels labels.LabelArray, opts *policy.DeleteOptions) (newRev uint64, err error)
    37  }
    38  
    39  type DirectoryWatcherReadStatus chan struct{}
    40  
    41  type PolicyWatcherParams struct {
    42  	cell.In
    43  
    44  	ReadStatus DirectoryWatcherReadStatus
    45  	Lifecycle  cell.Lifecycle
    46  	Logger     logrus.FieldLogger
    47  }
    48  
    49  type PolicyResourcesWatcher struct {
    50  	params PolicyWatcherParams
    51  	cfg    Config
    52  }
    53  
    54  type Config struct {
    55  	StaticCNPPath string
    56  }
    57  
    58  const (
    59  	// StaticCNPPath defines the directory path for static cilium network policy yaml files.
    60  	staticCNPPath = "static-cnp-path"
    61  )
    62  
    63  var defaultConfig = Config{}
    64  
    65  func (cfg Config) Flags(flags *pflag.FlagSet) {
    66  	flags.String(staticCNPPath, defaultConfig.StaticCNPPath, "Directory path to watch and load static cilium network policy yaml files.")
    67  }
    68  
    69  func newDirectoryPolicyResourcesWatcher(p PolicyWatcherParams, cfg Config) *PolicyResourcesWatcher {
    70  	if cfg.StaticCNPPath == "" {
    71  		close(p.ReadStatus)
    72  		return nil
    73  	}
    74  
    75  	return &PolicyResourcesWatcher{
    76  		params: p,
    77  		cfg:    cfg,
    78  	}
    79  }
    80  
    81  // WatchDirectoryPolicyResources starts watching Cilium Network policy files created under a directory.
    82  func (p *PolicyResourcesWatcher) WatchDirectoryPolicyResources(ctx context.Context, policyManager PolicyManager) {
    83  	w := newPolicyWatcher(ctx, policyManager, p)
    84  	w.watchDirectory(ctx)
    85  }
    86  
    87  // newPolicyWatcher constructs a new policy watcher.
    88  // This constructor unfortunately cannot be started via the Hive lifecycle as
    89  // there exists a circular dependency between this watcher and the Daemon:
    90  // The constructor newDaemon cannot complete before all pre-existing
    91  // Cilium Network Policy defined as yaml under specific directory have been added via the PolicyManager
    92  // (i.e. watchDirectory has observed the CNP file addition).
    93  // Because the PolicyManager interface itself is implemented by the Daemon
    94  // struct, we have a circular dependency.
    95  func newPolicyWatcher(ctx context.Context, policyManager PolicyManager, p *PolicyResourcesWatcher) *policyWatcher {
    96  	w := &policyWatcher{
    97  		log:                p.params.Logger,
    98  		policyManager:      policyManager,
    99  		readStatus:         p.params.ReadStatus,
   100  		config:             p.cfg,
   101  		fileNameToCnpCache: make(map[string]*cilium_v2.CiliumNetworkPolicy),
   102  	}
   103  	return w
   104  }