Getting controller configuration flags from IPAM

aws · Jun 20, 2024 · b174867 · b174867
1 parent ee49602
commit b174867
Show file tree

Hide file tree

Showing 4 changed files with 348 additions and 2 deletions.
diff --git a/main.go b/main.go
@@ -82,8 +82,10 @@ func main() {
 		setupLog.Error(err, "unable to create controller manager")
 		os.Exit(1)
 	}
-
 	ctx := ctrl.SetupSignalHandler()
+
+	ctrlConfig.GetUpdatedControllerConfigsFromIPAM(ctx)
+
 	policyEndpointController, err := controllers.NewPolicyEndpointsReconciler(mgr.GetClient(),
 		ctrl.Log.WithName("controllers").WithName("policyEndpoints"), ctrlConfig.EnablePolicyEventLogs, ctrlConfig.EnableCloudWatchLogs,
 		ctrlConfig.EnableIPv6, ctrlConfig.EnableNetworkPolicy, ctrlConfig.ConntrackCacheCleanupPeriod)

diff --git a/pkg/config/controller_config.go b/pkg/config/controller_config.go
@@ -1,6 +1,13 @@
 package config
 
-import "github.com/spf13/pflag"
+import (
+	"context"
+
+	"github.com/aws/aws-network-policy-agent/pkg/rpc"
+	"github.com/spf13/pflag"
+	"google.golang.org/protobuf/types/known/emptypb"
+	ctrl "sigs.k8s.io/controller-runtime"
+)
 
 const (
 	flagLogLevel                       = "log-level"
@@ -15,6 +22,8 @@ const (
 	flagEnableIPv6                     = "enable-ipv6"
 	flagEnableNetworkPolicy            = "enable-network-policy"
 	flagConntrackCacheCleanupPeriod    = "conntrack-cache-cleanup-period"
+	flagRunAsSystemProcess             = "run-as-system-process"
+	localIpamAddress                   = "127.0.0.1:50051"
 )
 
 // ControllerConfig contains the controller configuration
@@ -37,6 +46,8 @@ type ControllerConfig struct {
 	ConntrackCacheCleanupPeriod int
 	// Configurations for the Controller Runtime
 	RuntimeConfig RuntimeConfig
+	// Run the controller as a system process
+	RunAsSystemProcess bool
 }
 
 func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) {
@@ -52,6 +63,34 @@ func (cfg *ControllerConfig) BindFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&cfg.EnableNetworkPolicy, flagEnableNetworkPolicy, false, "If enabled, Network Policy agent will initialize BPF maps and start reconciler")
 	fs.IntVar(&cfg.ConntrackCacheCleanupPeriod, flagConntrackCacheCleanupPeriod, defaultConntrackCacheCleanupPeriod, ""+
 		"Cleanup interval for network policy agent conntrack cache")
+	fs.BoolVar(&cfg.RunAsSystemProcess, flagRunAsSystemProcess, false, "If enabled, Network Policy Agent will run as a systemd process")
 
 	cfg.RuntimeConfig.BindFlags(fs)
 }
+
+func (cfg *ControllerConfig) GetUpdatedControllerConfigsFromIPAM(ctx context.Context) {
+
+	if cfg.RunAsSystemProcess {
+
+		grpcLogger := ctrl.Log.WithName("grpcLogger")
+
+		grpcLogger.Info("Trying to establish GRPC connection to IPAM")
+		grpcConn, err := rpc.New().Dial(ctx, localIpamAddress, rpc.GetDefaultServiceRetryConfig(), rpc.GetInsecureConnectionType())
+		if err != nil {
+			grpcLogger.Error(err, "Failed to connect to IPAM server")
+		}
+		defer grpcConn.Close()
+
+		ipamd := rpc.NewConfigServerBackendClient(grpcConn)
+		resp, err := ipamd.GetNetworkPolicyAgentConfigs(ctx, &emptypb.Empty{})
+		if err != nil {
+			grpcLogger.Info("Failed to get controller configs, using the default values", "error", err)
+			return
+		}
+
+		// Validate if the values are within valid range (1 sec to 10 mins)
+		if resp.ConntrackCleanupInterval > 0 && resp.ConntrackCleanupInterval <= 600 {
+			cfg.ConntrackCacheCleanupPeriod = int(resp.ConntrackCleanupInterval)
+		}
+	}
+}
diff --git a/pkg/rpc/clientwrapper.go b/pkg/rpc/clientwrapper.go
@@ -0,0 +1,60 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package rpc
+
+import (
+	"context"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+// GRPC is the ipamd client Dial interface
+type GRPC interface {
+	Dial(ctx context.Context, target string, opts ...grpc.DialOption) (*grpc.ClientConn, error)
+}
+
+type NPAgentRPC struct{}
+
+// New creates a new cniGRPC
+func New() GRPC {
+	return &NPAgentRPC{}
+}
+
+func (n *NPAgentRPC) Dial(ctx context.Context, target string, opts ...grpc.DialOption) (*grpc.ClientConn, error) {
+	return grpc.DialContext(ctx, target, opts...)
+}
+
+func GetDefaultServiceRetryConfig() grpc.DialOption {
+
+	// The retry policy for the request made to IPAM server. It waits for the IPAM GRPC to be up before initiating retry policy
+	config := `{
+		"methodConfig": [{
+			"name": [{"service": "rpc.ConfigServerBackend"}],
+			"waitForReady": true,
+			"retryPolicy": {
+				"MaxAttempts": 5,
+				"InitialBackoff": "0.5s",
+				"MaxBackoff": "10s",
+				"BackoffMultiplier": 1.5,
+				"RetryableStatusCodes": [ "UNAVAILABLE", "ABORTED", "UNKNOWN"]
+			}
+		}]
+	}`
+	return grpc.WithDefaultServiceConfig(config)
+}
+
+func GetInsecureConnectionType() grpc.DialOption {
+	return grpc.WithTransportCredentials(insecure.NewCredentials())
+}
diff --git a/pkg/rpc/config.pb.go b/pkg/rpc/config.pb.go