Merge pull request #829 from msherif1234/bpfman-intg

SDN-5393: intg netobserv operator with bpfman to manage ebpf programs
netobserv · Dec 13, 2024 · 5ba1b46 · 5ba1b46
2 parents 5ec7916 + 3c79658
commit 5ba1b46
Show file tree

Hide file tree

Showing 53 changed files with 5,198 additions and 41 deletions.
diff --git a/apis/flowcollector/v1beta1/flowcollector_types.go b/apis/flowcollector/v1beta1/flowcollector_types.go
@@ -153,7 +153,8 @@ type FlowCollectorIPFIX struct {
 // - `FlowRTT`, to track TCP latency [Unsupported (*)].<br>
 // - `NetworkEvents`, to track Network events.<br>
 // - `PacketTranslation`, to enrich flows with packets translation information. <br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation"
+// - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager"
 type AgentFeature string
 
 const (
@@ -162,6 +163,7 @@ const (
 	FlowRTT           AgentFeature = "FlowRTT"
 	NetworkEvents     AgentFeature = "NetworkEvents"
 	PacketTranslation AgentFeature = "PacketTranslation"
+	EbpfManager       AgentFeature = "EbpfManager"
 )
 
 // Name of an eBPF agent alert.
@@ -339,6 +341,7 @@ type FlowCollectorEBPF struct {
 	// - `NetworkEvents`: enable the Network events monitoring feature. This feature requires mounting
 	// the kernel debug filesystem, so the eBPF pod has to run as privileged.
 	// - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
+	// - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
 	// +optional
 	Features []AgentFeature `json:"features,omitempty"`
 

diff --git a/apis/flowcollector/v1beta2/flowcollector_types.go b/apis/flowcollector/v1beta2/flowcollector_types.go
@@ -176,7 +176,8 @@ type FlowCollectorIPFIX struct {
 // - `FlowRTT`, to track TCP latency.<br>
 // - `NetworkEvents`, to track Network events [Developer Preview].<br>
 // - `PacketTranslation`, to enrich flows with packets translation information. <br>
-// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation"
+// - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
+// +kubebuilder:validation:Enum:="PacketDrop";"DNSTracking";"FlowRTT";"NetworkEvents";"PacketTranslation";"EbpfManager"
 type AgentFeature string
 
 const (
@@ -185,6 +186,7 @@ const (
 	FlowRTT           AgentFeature = "FlowRTT"
 	NetworkEvents     AgentFeature = "NetworkEvents"
 	PacketTranslation AgentFeature = "PacketTranslation"
+	EbpfManager       AgentFeature = "EbpfManager"
 )
 
 // Name of an eBPF agent alert.
@@ -365,6 +367,8 @@ type FlowCollectorEBPF struct {
 	// It requires using the OVN-Kubernetes network plugin with the Observability feature.
 	// IMPORTANT: This feature is available as a Developer Preview.<br>
 	// - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
+	// - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
+	// IMPORTANT: This feature is available as a Developer Preview.<br>
 	// +optional
 	Features []AgentFeature `json:"features,omitempty"`
 

diff --git a/apis/flowcollector/v1beta2/flowcollector_validation_webhook.go b/apis/flowcollector/v1beta2/flowcollector_validation_webhook.go
@@ -101,6 +101,9 @@ func (r *FlowCollector) validateAgent(_ context.Context, fc *FlowCollector) (adm
 	if slices.Contains(fc.Spec.Agent.EBPF.Features, PacketDrop) && !fc.Spec.Agent.EBPF.Privileged {
 		warnings = append(warnings, "The PacketDrop feature requires eBPF Agent to run in privileged mode")
 	}
+	if slices.Contains(fc.Spec.Agent.EBPF.Features, EbpfManager) && !fc.Spec.Agent.EBPF.Privileged {
+		warnings = append(warnings, "The BPF Manager feature requires eBPF Agent to run in privileged mode")
+	}
 	var errs []error
 	if fc.Spec.Agent.EBPF.FlowFilter != nil && fc.Spec.Agent.EBPF.FlowFilter.Enable != nil && *fc.Spec.Agent.EBPF.FlowFilter.Enable {
 		hasPorts := fc.Spec.Agent.EBPF.FlowFilter.Ports.IntVal > 0 || fc.Spec.Agent.EBPF.FlowFilter.Ports.StrVal != ""

diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -136,6 +136,7 @@ spec:
                           - `NetworkEvents`: enable the Network events monitoring feature. This feature requires mounting
                           the kernel debug filesystem, so the eBPF pod has to run as privileged.
                           - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
+                          - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                         items:
                           description: |-
                             Agent feature, can be one of:<br>
@@ -144,12 +145,14 @@ spec:
                             - `FlowRTT`, to track TCP latency [Unsupported (*)].<br>
                             - `NetworkEvents`, to track Network events.<br>
                             - `PacketTranslation`, to enrich flows with packets translation information. <br>
+                            - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                           enum:
                           - PacketDrop
                           - DNSTracking
                           - FlowRTT
                           - NetworkEvents
                           - PacketTranslation
+                          - EbpfManager
                           type: string
                         type: array
                       flowFilter:
@@ -3820,6 +3823,8 @@ spec:
                           It requires using the OVN-Kubernetes network plugin with the Observability feature.
                           IMPORTANT: This feature is available as a Developer Preview.<br>
                           - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
+                          - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
+                          IMPORTANT: This feature is available as a Developer Preview.<br>
                         items:
                           description: |-
                             Agent feature, can be one of:<br>
@@ -3828,12 +3833,14 @@ spec:
                             - `FlowRTT`, to track TCP latency.<br>
                             - `NetworkEvents`, to track Network events [Developer Preview].<br>
                             - `PacketTranslation`, to enrich flows with packets translation information. <br>
+                            - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                           enum:
                           - PacketDrop
                           - DNSTracking
                           - FlowRTT
                           - NetworkEvents
                           - PacketTranslation
+                          - EbpfManager
                           type: string
                         type: array
                       flowFilter:

diff --git a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml
@@ -1025,6 +1025,18 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - bpfman.io
+          resources:
+          - bpfapplications
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - config.openshift.io
           resources:

diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
@@ -121,6 +121,7 @@ spec:
                             - `NetworkEvents`: enable the Network events monitoring feature. This feature requires mounting
                             the kernel debug filesystem, so the eBPF pod has to run as privileged.
                             - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
+                            - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
                           items:
                             description: |-
                               Agent feature, can be one of:<br>
@@ -129,12 +130,14 @@ spec:
                               - `FlowRTT`, to track TCP latency [Unsupported (*)].<br>
                               - `NetworkEvents`, to track Network events.<br>
                               - `PacketTranslation`, to enrich flows with packets translation information. <br>
+                              - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                             enum:
                               - PacketDrop
                               - DNSTracking
                               - FlowRTT
                               - NetworkEvents
                               - PacketTranslation
+                              - EbpfManager
                             type: string
                           type: array
                         flowFilter:
@@ -3521,6 +3524,8 @@ spec:
                             It requires using the OVN-Kubernetes network plugin with the Observability feature.
                             IMPORTANT: This feature is available as a Developer Preview.<br>
                             - `PacketTranslation`: enable enriching flows with packet's translation information. <br>
+                            - `EbpfManager`: allow using eBPF manager to manage netobserv ebpf programs. <br>
+                            IMPORTANT: This feature is available as a Developer Preview.<br>
                           items:
                             description: |-
                               Agent feature, can be one of:<br>
@@ -3529,12 +3534,14 @@ spec:
                               - `FlowRTT`, to track TCP latency.<br>
                               - `NetworkEvents`, to track Network events [Developer Preview].<br>
                               - `PacketTranslation`, to enrich flows with packets translation information. <br>
+                              - `EbpfManager`, to enable using EBPF Manager to manage netobserv ebpf programs [Developer Preview].<br>
                             enum:
                               - PacketDrop
                               - DNSTracking
                               - FlowRTT
                               - NetworkEvents
                               - PacketTranslation
+                              - EbpfManager
                             type: string
                           type: array
                         flowFilter:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -96,6 +96,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - bpfman.io
+  resources:
+  - bpfapplications
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - config.openshift.io
   resources:

diff --git a/config/samples/flows_v1beta2_flowcollector.yaml b/config/samples/flows_v1beta2_flowcollector.yaml
@@ -24,6 +24,7 @@ spec:
       # - "FlowRTT"
       # - "NetworkEvents"
       # - "PacketTranslation"
+      # - "EbpfManager"
       interfaces: []
       excludeInterfaces: ["lo"]
       kafkaBatchSize: 1048576

diff --git a/controllers/consoleplugin/consoleplugin_objects.go b/controllers/consoleplugin/consoleplugin_objects.go
@@ -55,7 +55,7 @@ type builder struct {
 }
 
 func newBuilder(info *reconcilers.Instance, desired *flowslatest.FlowCollectorSpec) builder {
-	version := helper.ExtractVersion(info.Image)
+	version := helper.ExtractVersion(info.Images[constants.ControllerBaseImageIndex])
 	advanced := helper.GetAdvancedPluginConfig(desired.ConsolePlugin.Advanced)
 	return builder{
 		info: info,
@@ -227,7 +227,7 @@ func (b *builder) podTemplate(cmDigest string) *corev1.PodTemplateSpec {
 		Spec: corev1.PodSpec{
 			Containers: []corev1.Container{{
 				Name:            constants.PluginName,
-				Image:           b.info.Image,
+				Image:           b.info.Images[constants.ControllerBaseImageIndex],
 				ImagePullPolicy: corev1.PullPolicy(b.desired.ConsolePlugin.ImagePullPolicy),
 				Resources:       *b.desired.ConsolePlugin.Resources.DeepCopy(),
 				VolumeMounts:    b.volumes.AppendMounts(volumeMounts),

diff --git a/controllers/consoleplugin/consoleplugin_test.go b/controllers/consoleplugin/consoleplugin_test.go
@@ -111,7 +111,7 @@ func getAutoScalerSpecs() (ascv2.HorizontalPodAutoscaler, flowslatest.FlowCollec
 
 func getBuilder(spec *flowslatest.FlowCollectorSpec, lk *helper.LokiConfig) builder {
 	info := reconcilers.Common{Namespace: testNamespace, Loki: lk, ClusterInfo: &cluster.Info{}}
-	b := newBuilder(info.NewInstance(testImage, status.Instance{}), spec)
+	b := newBuilder(info.NewInstance([]string{testImage}, status.Instance{}), spec)
 	_, _, _ = b.configMap(context.Background()) // build configmap to update builder's volumes
 	return b
 }
@@ -144,7 +144,7 @@ func TestContainerUpdateCheck(t *testing.T) {
 	old = nEw
 
 	// new image
-	builder.info.Image = "quay.io/netobserv/network-observability-console-plugin:latest"
+	builder.info.Images[constants.ControllerBaseImageIndex] = "quay.io/netobserv/network-observability-console-plugin:latest"
 	nEw = builder.deployment("digest")
 	report = helper.NewChangeReport("")
 	assert.True(helper.PodChanged(&old.Spec.Template, &nEw.Spec.Template, constants.PluginName, &report))

diff --git a/controllers/constants/constants.go b/controllers/constants/constants.go
@@ -50,7 +50,9 @@ const (
 	LokiCRReader  = "netobserv-reader"
 	PromCRReader  = "netobserv-metrics-reader"
 
-	EnvTestConsole = "TEST_CONSOLE"
+	ControllerBaseImageIndex    = 0
+	EBPFAgentByteCodeImageIndex = 1
+	EnvTestConsole              = "TEST_CONSOLE"
 )
 
 var FlowCollectorName = types.NamespacedName{Name: "cluster"}

diff --git a/controllers/ebpf/agent_controller.go b/controllers/ebpf/agent_controller.go
@@ -83,6 +83,7 @@ const (
 	envFilterTCPFlags             = "FILTER_TCP_FLAGS"
 	envFilterPktDrops             = "FILTER_DROPS"
 	envEnablePacketTranslation    = "ENABLE_PKT_TRANSLATION"
+	envEnableEbpfMgr              = "EBPF_PROGRAM_MANAGER_MODE"
 	envListSeparator              = ","
 )
 
@@ -112,6 +113,8 @@ const (
 	DedupeJustMarkDefault  = "false"
 	DedupeMergeDefault     = "true"
 	defaultDNSTrackingPort = "53"
+	bpfmanMapsVolumeName   = "bpfman-maps"
+	bpfManBpfFSPath        = "/run/netobserv/maps"
 )
 
 // AgentController reconciles the status of the eBPF agent Daemonset, as well as the
@@ -164,6 +167,12 @@ func (c *AgentController) Reconcile(ctx context.Context, target *flowslatest.Flo
 			return nil
 		}
 		rlog.Info("namespace cleanup: deleting eBPF agent", "currentAgent", target.Spec.Agent)
+		if helper.IsAgentFeatureEnabled(&target.Spec.Agent.EBPF, flowslatest.EbpfManager) {
+			if err := c.bpfmanDetachNetobserv(ctx); err != nil {
+				rlog.Error(err, "failed to delete bpfapplication object")
+				// continue with eBPF agent deletion
+			}
+		}
 		if err := c.Delete(ctx, current); err != nil {
 			if errors.IsNotFound(err) {
 				return nil
@@ -192,15 +201,25 @@ func (c *AgentController) Reconcile(ctx context.Context, target *flowslatest.Flo
 	case helper.ActionCreate:
 		rlog.Info("action: create agent")
 		c.Status.SetCreatingDaemonSet(desired)
-		return c.CreateOwned(ctx, desired)
+		err = c.CreateOwned(ctx, desired)
 	case helper.ActionUpdate:
 		rlog.Info("action: update agent")
-		return c.UpdateIfOwned(ctx, current, desired)
+		err = c.UpdateIfOwned(ctx, current, desired)
 	default:
 		rlog.Info("action: nothing to do")
 		c.Status.CheckDaemonSetProgress(current)
-		return nil
 	}
+
+	if err != nil {
+		return err
+	}
+
+	if helper.IsAgentFeatureEnabled(&target.Spec.Agent.EBPF, flowslatest.EbpfManager) {
+		if err := c.bpfmanAttachNetobserv(ctx, target); err != nil {
+			return fmt.Errorf("failed to attach netobserv: %w", err)
+		}
+	}
+	return nil
 }
 
 func (c *AgentController) current(ctx context.Context) (*v1.DaemonSet, error) {
@@ -233,7 +252,7 @@ func (c *AgentController) desired(ctx context.Context, coll *flowslatest.FlowCol
 	if coll == nil {
 		return nil, nil
 	}
-	version := helper.ExtractVersion(c.Image)
+	version := helper.ExtractVersion(c.Images[constants.ControllerBaseImageIndex])
 	annotations := make(map[string]string)
 	env, err := c.envConfig(ctx, coll, annotations)
 	if err != nil {
@@ -356,6 +375,28 @@ func (c *AgentController) desired(ctx context.Context, coll *flowslatest.FlowCol
 		}
 	}
 
+	if helper.IsAgentFeatureEnabled(&coll.Spec.Agent.EBPF, flowslatest.EbpfManager) {
+		volume := corev1.Volume{
+			Name: bpfmanMapsVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				CSI: &corev1.CSIVolumeSource{
+					Driver: "csi.bpfman.io",
+					VolumeAttributes: map[string]string{
+						"csi.bpfman.io/program": "netobserv",
+						"csi.bpfman.io/maps":    "aggregated_flows,additional_flow_metrics,direct_flows,dns_flows,filter_map,global_counters,packet_record",
+					},
+				},
+			},
+		}
+		volumes = append(volumes, volume)
+		volumeMount := corev1.VolumeMount{
+			Name:             bpfmanMapsVolumeName,
+			MountPath:        bpfManBpfFSPath,
+			MountPropagation: newMountPropagationMode(corev1.MountPropagationBidirectional),
+		}
+		volumeMounts = append(volumeMounts, volumeMount)
+	}
+
 	advancedConfig := helper.GetAdvancedAgentConfig(coll.Spec.Agent.EBPF.Advanced)
 
 	return &v1.DaemonSet{
@@ -384,7 +425,7 @@ func (c *AgentController) desired(ctx context.Context, coll *flowslatest.FlowCol
 					Volumes:            volumes,
 					Containers: []corev1.Container{{
 						Name:            constants.EBPFAgentName,
-						Image:           c.Image,
+						Image:           c.Images[constants.ControllerBaseImageIndex],
 						ImagePullPolicy: corev1.PullPolicy(coll.Spec.Agent.EBPF.ImagePullPolicy),
 						Resources:       coll.Spec.Agent.EBPF.Resources,
 						SecurityContext: c.securityContext(coll),
@@ -658,7 +699,12 @@ func (c *AgentController) setEnvConfig(coll *flowslatest.FlowCollector) []corev1
 
 	if helper.IsPacketTranslationEnabled(&coll.Spec.Agent.EBPF) {
 		config = append(config, corev1.EnvVar{
-			Name:  envEnablePacketTranslation,
+			Name: envEnablePacketTranslation,
+		})
+	}
+	if helper.IsEbpfManagerEnabled(&coll.Spec.Agent.EBPF) {
+		config = append(config, corev1.EnvVar{
+			Name:  envEnableEbpfMgr,
 			Value: "true",
 		})
 	}