pkg/proxy: Reconcile routes

Convert the proxy code to use the new route reconciliation for
proxy routes.

Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>

Author: dylandreimerink

pkg/datapath/loader/base.go

@@ -517,10 +517,8 @@ func (l *loader) Reinitialize(ctx context.Context, lnc *datapath.LocalNodeConfig
 	}
 
 	// Reinstall proxy rules for any running proxies if needed
-	if option.Config.EnableL7Proxy {
-		if err := p.ReinstallRoutingRules(ctx, lnc.RouteMTU, lnc.EnableIPSec); err != nil {
-			return err
-		}
+	if err := p.ReinstallRoutingRules(ctx, lnc.RouteMTU, lnc.EnableIPSec); err != nil {
+		return err
 	}
 
 	return nil

pkg/proxy/cell.go

@@ -5,11 +5,15 @@ package proxy
 
 import (
 	"context"
+	"fmt"
 	"log/slog"
 
 	"github.com/cilium/hive/cell"
 	"github.com/cilium/hive/job"
+	"github.com/cilium/statedb"
 
+	"github.com/cilium/cilium/pkg/datapath/linux/route/reconciler"
+	"github.com/cilium/cilium/pkg/datapath/tables"
 	datapath "github.com/cilium/cilium/pkg/datapath/types"
 	"github.com/cilium/cilium/pkg/envoy"
 	fqdnproxy "github.com/cilium/cilium/pkg/fqdn/proxy"
@@ -49,18 +53,26 @@ type proxyParams struct {
 	ProxyPorts            *proxyports.ProxyPorts
 	EnvoyProxyIntegration *envoyProxyIntegration
 	DNSProxyIntegration   *dnsProxyIntegration
+
+	DB           *statedb.DB
+	Devices      statedb.Table[*tables.Device]
+	RouteManager *reconciler.DesiredRouteManager
 }
 
-func newProxy(params proxyParams) *Proxy {
+func newProxy(params proxyParams) (*Proxy, error) {
+	p, err := createProxy(option.Config.EnableL7Proxy, params.Logger, params.LocalNodeStore, params.ProxyPorts, params.EnvoyProxyIntegration, params.DNSProxyIntegration, params.DB, params.Devices, params.RouteManager)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create proxy: %w", err)
+	}
+
 	if !option.Config.EnableL7Proxy {
 		params.Logger.Info("L7 proxies are disabled")
 		if option.Config.EnableEnvoyConfig {
 			params.Logger.Warn("CiliumEnvoyConfig functionality isn't enabled when L7 proxies are disabled", logfields.Flag, option.EnableEnvoyConfig)
 		}
-		return nil
-	}
 
-	p := createProxy(params.Logger, params.LocalNodeStore, params.ProxyPorts, params.EnvoyProxyIntegration, params.DNSProxyIntegration)
+		return p, nil
+	}
 
 	p.proxyPorts.Trigger = job.NewTrigger(job.WithDebounce(10 * time.Second))
 
@@ -89,7 +101,7 @@ func newProxy(params proxyParams) *Proxy {
 		},
 	})
 
-	return p
+	return p, nil
 }
 
 type envoyProxyIntegrationParams struct {

pkg/proxy/proxy.go

@@ -8,8 +8,12 @@ import (
 	"fmt"
 	"log/slog"
 
+	"github.com/cilium/statedb"
+
 	"github.com/cilium/cilium/api/v1/models"
 	"github.com/cilium/cilium/pkg/completion"
+	"github.com/cilium/cilium/pkg/datapath/linux/route/reconciler"
+	"github.com/cilium/cilium/pkg/datapath/tables"
 	"github.com/cilium/cilium/pkg/identity"
 	"github.com/cilium/cilium/pkg/lock"
 	"github.com/cilium/cilium/pkg/logging/logfields"
@@ -34,6 +38,8 @@ const (
 
 // Proxy maintains state about redirects
 type Proxy struct {
+	enabled bool
+
 	// mutex is the lock required when modifying any proxy datastructure
 	mutex lock.RWMutex
 
@@ -51,31 +57,44 @@ type Proxy struct {
 
 	// proxyPorts manages proxy port allocation
 	proxyPorts *proxyports.ProxyPorts
+
+	db               *statedb.DB
+	devices          statedb.Table[*tables.Device]
+	routeOwner       *reconciler.RouteOwner
+	routeInitializer reconciler.Initializer
+	routeManager     *reconciler.DesiredRouteManager
 }
 
 func createProxy(
+	enabled bool,
 	logger *slog.Logger,
 	localNodeStore *node.LocalNodeStore,
 	proxyPorts *proxyports.ProxyPorts,
 	envoyIntegration *envoyProxyIntegration,
 	dnsIntegration *dnsProxyIntegration,
-) *Proxy {
+	db *statedb.DB,
+	devices statedb.Table[*tables.Device],
+	routeManager *reconciler.DesiredRouteManager,
+) (*Proxy, error) {
+	routeOwner, err := routeManager.RegisterOwner("proxy")
+	if err != nil {
+		return nil, fmt.Errorf("unable to register route owner: %w", err)
+	}
+
 	return &Proxy{
+		enabled:          enabled,
 		logger:           logger,
 		localNodeStore:   localNodeStore,
 		redirects:        make(map[string]RedirectImplementation),
 		envoyIntegration: envoyIntegration,
 		dnsIntegration:   dnsIntegration,
 		proxyPorts:       proxyPorts,
-	}
-}
-
-func (p *Proxy) ReinstallRoutingRules(ctx context.Context, mtu int, ipsecEnabled bool) error {
-	ln, err := p.localNodeStore.Get(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to retrieve local node: %w", err)
-	}
-	return ReinstallRoutingRules(p.logger, ln, mtu, ipsecEnabled)
+		db:               db,
+		devices:          devices,
+		routeOwner:       routeOwner,
+		routeInitializer: routeManager.RegisterInitializer("proxy"),
+		routeManager:     routeManager,
+	}, nil
 }
 
 func (p *Proxy) GetListenerProxyPort(listener string) uint16 {

pkg/proxy/proxy_test.go

@@ -8,28 +8,39 @@ import (
 	"os"
 	"testing"
 
+	"github.com/cilium/hive/cell"
 	"github.com/cilium/hive/hivetest"
 	"github.com/cilium/hive/job"
 	"github.com/stretchr/testify/require"
 
 	"github.com/cilium/cilium/pkg/completion"
 	datapath "github.com/cilium/cilium/pkg/datapath/fake/types"
+	"github.com/cilium/cilium/pkg/datapath/linux/route/reconciler"
 	"github.com/cilium/cilium/pkg/envoy"
+	"github.com/cilium/cilium/pkg/hive"
 	"github.com/cilium/cilium/pkg/policy"
 	"github.com/cilium/cilium/pkg/proxy/proxyports"
 	"github.com/cilium/cilium/pkg/time"
 	"github.com/cilium/cilium/pkg/u8proto"
 )
 
 func proxyForTest(t *testing.T) *Proxy {
+	var drm *reconciler.DesiredRouteManager
+	hive.New(
+		reconciler.TableCell,
+		cell.Invoke(func(m *reconciler.DesiredRouteManager) {
+			drm = m
+		}),
+	).Populate(hivetest.Logger(t))
 	fakeIPTablesManager := &datapath.FakeIptablesManager{}
 	ppConfig := proxyports.ProxyPortsConfig{
 		ProxyPortrangeMin:          10000,
 		ProxyPortrangeMax:          20000,
 		RestoredProxyPortsAgeLimit: 0,
 	}
 	pp := proxyports.NewProxyPorts(hivetest.Logger(t), ppConfig, fakeIPTablesManager)
-	p := createProxy(hivetest.Logger(t), nil, pp, nil, nil)
+	p, err := createProxy(true, hivetest.Logger(t), nil, pp, nil, nil, nil, nil, drm)
+	require.NoError(t, err)
 
 	p.proxyPorts.Trigger = job.NewTrigger(job.WithDebounce(10 * time.Second))
 	return p