NETOBSERV-2418: new FlowCollectorSlice API

Author: jotak

Makefile

@@ -279,6 +279,7 @@ endif
 doc: crdoc ## Generate markdown documentation
 	$(CRDOC) --resources config/crd/bases/flows.netobserv.io_flowcollectors.yaml --output docs/FlowCollector.md
 	$(CRDOC) --resources config/crd/bases/flows.netobserv.io_flowmetrics.yaml --output docs/FlowMetric.md
+	$(CRDOC) --resources config/crd/bases/flows.netobserv.io_flowcollectorslices.yaml --output docs/FlowCollectorSlice.md
 
 # Hack to reintroduce when the API stored version != latest version; see also envtest.go (CRD path config)
 # .PHONY: hack-crd-for-test
@@ -288,6 +289,7 @@ doc: crdoc ## Generate markdown documentation
 # 		'(.spec.versions.[]|select(.name != "v1beta2").storage) = false,(.spec.versions.[]|select(.name == "v1beta2").storage) = true' \
 # 		> ./hack/cloned.flows.netobserv.io_flowcollectors.yaml
 # 	cp ./config/crd/bases/flows.netobserv.io_flowmetrics.yaml ./hack/cloned.flows.netobserv.io_flowmetrics.yaml
+# 	cp ./config/crd/bases/flows.netobserv.io_flowcollectorslices.yaml ./hack/cloned.flows.netobserv.io_flowcollectorslices.yaml
 
 generate: gencode manifests doc ## Run all code/file generators
 

PROJECT

@@ -38,4 +38,12 @@ resources:
   webhooks:
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: netobserv.io
+  group: flows
+  kind: FlowCollectorSlice
+  path: github.com/netobserv/network-observability-operator/api/flowcollectorslice/v1alpha1
+  version: v1alpha1
 version: "3"

api/flowcollector/v1beta2/flowcollector_types.go

@@ -697,6 +697,10 @@ type FlowCollectorFLP struct {
 	// but with a lesser improvement in performance.
 	Filters []FLPFilterSet `json:"filters"`
 
+	// Global configuration managing FlowCollectorSlices custom resources.
+	//+optional
+	SlicesConfig *SlicesConfig `json:"slicesConfig,omitempty"`
+
 	// `advanced` allows setting some aspects of the internal configuration of the flow processor.
 	// This section is aimed mostly for debugging and fine-grained performance optimizations,
 	// such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk.
@@ -787,6 +791,33 @@ type FlowCollectorHPA struct {
 	Metrics []ascv2.MetricSpec `json:"metrics"`
 }
 
+type SliceCollectionMode string
+
+const (
+	CollectionAlwaysCollect SliceCollectionMode = "AlwaysCollect"
+	CollectionAllowList     SliceCollectionMode = "AllowList"
+)
+
+type SlicesConfig struct {
+	// `enable` determines if the FlowCollectorSlice feature is enabled. If not, all resources of kind FlowCollectorSlice are simply ignored.
+	//+kubebuilder:default:=false
+	//+kubebuilder:validation:Required
+	Enable bool `json:"enable,omitempty"`
+
+	// `collectionMode` determines how the FlowCollectorSlice custom resources impacts the flow collection process:<br>
+	// - When set to `AlwaysCollect`, all flows are collected regardless of the presence of FlowCollectorSlice.<br>
+	// - When set to `AllowList`, only the flows related to namespaces where a FlowCollectorSlice resource is present, or configured via the global `namespacesAllowList`, are collected.<br>
+	//+kubebuilder:validation:Enum=AlwaysCollect;AllowList
+	//+kubebuilder:default:="AlwaysCollect"
+	CollectionMode SliceCollectionMode `json:"collectionMode,omitempty"`
+
+	// `namespacesAllowList` is a list of namespaces for which flows are always collected, regardless of the presence of FlowCollectorSlice in those namespaces.
+	// An entry enclosed by slashes, such as `/openshift-.*/`, is matched as a regular expression.
+	// This setting is ignored if `collectionMode` is different from `AllowList`.
+	//+kubebuilder:validation:optional
+	NamespacesAllowList []string `json:"namespacesAllowList,omitempty"`
+}
+
 type LokiAuthToken string
 
 const (

api/flowcollector/v1beta2/helper.go

@@ -227,3 +227,7 @@ func (spec *FlowCollectorConsolePlugin) IsUnmanagedConsolePluginReplicas() bool
 	}
 	return spec.Autoscaler.IsHPAEnabled()
 }
+
+func (spec *FlowCollectorSpec) IsSliceEnabled() bool {
+	return spec.Processor.SlicesConfig != nil && spec.Processor.SlicesConfig.Enable
+}

api/flowcollector/v1beta2/zz_generated.deepcopy.go

@@ -0,0 +1,2 @@
+// Package v1aplha1 contains the v1alpha1 API implementation.
+package v1alpha1

api/flowcollectorslice/v1alpha1/doc.go

@@ -0,0 +1,59 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// FlowCollectorSliceSpec defines the desired state of FlowCollectorSlice
+type FlowCollectorSliceSpec struct {
+	// `subnetLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+	// Beware that the subnet labels configured in FlowCollectorSlice are not limited to the flows of the related namespace: any flow
+	// in the whole cluster can be labelled using this configuration. However, subnet labels defined in the cluster-scoped FlowCollector take
+	// precedence in case of conflicting rules.
+	//+optional
+	SubnetLabels []SubnetLabel `json:"subnetLabels,omitempty"`
+
+	// `sampling` is an optional sampling interval to apply to this slice. For example, a value of `50` means that 1 matching flow in 50 is sampled.
+	//+kubebuilder:validation:Minimum=0
+	// +optional
+	Sampling int32 `json:"sampling,omitempty"`
+}
+
+// SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
+type SubnetLabel struct {
+	// List of CIDRs, such as `["1.2.3.4/32"]`.
+	//+required
+	CIDRs []string `json:"cidrs,omitempty"` // Note, starting with k8s 1.31 / ocp 4.16 there's a new way to validate CIDR such as `+kubebuilder:validation:XValidation:rule="isCIDR(self)",message="field should be in CIDR notation format"`. But older versions would reject the CRD so we cannot implement it now to maintain compatibility.
+	// Label name, used to flag matching flows.
+	//+required
+	Name string `json:"name,omitempty"`
+}
+
+// FlowCollectorSliceStatus defines the observed state of FlowCollectorSlice
+type FlowCollectorSliceStatus struct {
+	// `conditions` represent the latest available observations of an object's state
+	Conditions []metav1.Condition `json:"conditions"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// FlowMetric is the API allowing to create custom metrics from the collected flow logs.
+type FlowCollectorSlice struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   FlowCollectorSliceSpec   `json:"spec,omitempty"`
+	Status FlowCollectorSliceStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// FlowCollectorSliceList contains a list of FlowCollectorSlice
+type FlowCollectorSliceList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []FlowCollectorSlice `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&FlowCollectorSlice{}, &FlowCollectorSliceList{})
+}

api/flowcollectorslice/v1alpha1/flowcollectorslice_types.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2021.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the flows v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=flows.netobserv.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "flows.netobserv.io", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)