fix: hubble not showing services and app names on relay and ui

This PR fixes the issue where service IPs are not being resolved in the
Hubble relay's flow logs and app names are not showing up on Hubble UI.
This was done by introducing a service cache and a label cache via the
service and cilium identity controllers.

Signed-off-by: Quang Nguyen <[email protected]>

Author: nddq

Makefile

@@ -140,7 +140,7 @@ fmt: ## run gofumpt on $FMT_PKG (default "retina").
 	$(GOFUMPT) -w $(FMT_PKG)
 
 lint: ## Fast lint vs default branch showing only new issues.
-	$(GOLANGCI_LINT) run --new-from-rev main --timeout 10m -v $(LINT_PKG)/...
+	$(GOLANGCI_LINT) run --new-from-rev main --timeout 10m --concurrency 8 -v $(LINT_PKG)/...
 
 lint-existing: ## Lint the current branch in entirety.
 	$(GOLANGCI_LINT) run -v $(LINT_PKG)/...

cmd/hubble/cells_linux.go

@@ -9,9 +9,6 @@ import (
 	"github.com/cilium/cilium/pkg/gops"
 	hubblecell "github.com/cilium/cilium/pkg/hubble/cell"
 	exportercell "github.com/cilium/cilium/pkg/hubble/exporter/cell"
-	hubbleParser "github.com/cilium/cilium/pkg/hubble/parser"
-	"github.com/cilium/cilium/pkg/ipcache"
-	"github.com/cilium/cilium/pkg/k8s"
 	k8sClient "github.com/cilium/cilium/pkg/k8s/client"
 	"github.com/cilium/cilium/pkg/logging"
 	"github.com/cilium/cilium/pkg/logging/logfields"
@@ -20,13 +17,13 @@ import (
 	"github.com/cilium/cilium/pkg/pprof"
 	"github.com/cilium/cilium/pkg/recorder"
 	"github.com/cilium/hive/cell"
-	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/rest"
 
 	"github.com/microsoft/retina/internal/buildinfo"
 	"github.com/microsoft/retina/pkg/config"
 	rnode "github.com/microsoft/retina/pkg/controllers/daemon/nodereconciler"
 	"github.com/microsoft/retina/pkg/hubble/parser"
+	"github.com/microsoft/retina/pkg/hubble/resources"
 	retinak8s "github.com/microsoft/retina/pkg/k8s"
 	"github.com/microsoft/retina/pkg/managers/pluginmanager"
 	"github.com/microsoft/retina/pkg/monitoragent"
@@ -97,11 +94,9 @@ var (
 
 		recorder.Cell,
 
-		cell.Provide(
-			func(l logrus.FieldLogger, ipc *ipcache.IPCache, sc *k8s.ServiceCacheImpl) hubbleParser.Decoder {
-				return parser.New(l.WithField("decoder", nil), sc, ipc)
-			},
-		),
+		// Provides resources for hubble
+		resources.Cell,
+		cell.Provide(parser.New),
 
 		// Provides the node reconciler as node manager
 		rnode.Cell,

cmd/hubble/daemon_linux.go

@@ -28,6 +28,7 @@ import (
 	"github.com/cilium/hive/cell"
 	"github.com/cilium/workerpool"
 
+	cilium_api_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
 	corev1 "k8s.io/api/core/v1"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/rest"
@@ -50,6 +51,11 @@ var (
 				return nil, nil, errors.Wrap(err, "failed to add corev1 to scheme")
 			}
 
+			if err := cilium_api_v2.AddToScheme(scheme); err != nil { //nolint:govet // intentional shadow
+				logger.Error("failed to add cilium.io/v2 to scheme")
+				return nil, nil, errors.Wrap(err, "failed to add cilium.io/v2 to scheme")
+			}
+
 			mgrOption := ctrl.Options{
 				Scheme: scheme,
 				Metrics: metricsserver.Options{

deploy/hubble/manifests/controller/helm/retina/values.yaml

@@ -406,9 +406,9 @@ hubble:
     # -- Hubble-relay container image.
     image:
       override: ~
-      repository: "mcr.microsoft.com/oss/cilium/hubble-relay"
-      tag: "v1.15.0"
-      digest: "sha256:19cd56e7618832257bf88b2f281287cb57f9f7fcb9e04775a6198d4bc4daffae"
+      repository: "quay.io/cilium/hubble-relay-ci"
+      tag: "latest"
+      digest: ""
       useDigest: false
       pullPolicy: "Always"
 
@@ -650,9 +650,9 @@ hubble:
       # -- Hubble-ui backend image.
       image:
         override: ~
-        repository: "mcr.microsoft.com/oss/cilium/hubble-ui-backend"
-        tag: "v0.12.2"
-        digest: "sha256:b73dd1ac1b7159d42cdba31433964313e756daafefffad5e91c3b61b47c3782f"
+        repository: "quay.io/cilium/hubble-ui-backend"
+        tag: "v0.13.2"
+        digest: "sha256:a034b7e98e6ea796ed26df8f4e71f83fc16465a19d166eff67a03b822c0bfa15"
         useDigest: true
         pullPolicy: "Always"
 
@@ -689,9 +689,9 @@ hubble:
       # -- Hubble-ui frontend image.
       image:
         override: ~
-        repository: "mcr.microsoft.com/oss/cilium/hubble-ui"
-        tag: "v0.12.2"
-        digest: "sha256:8c53cdaebb4ae863ad061387a68ea06e38777d2911e6c0e570be1932bb4ba526"
+        repository: "quay.io/cilium/hubble-ui"
+        tag: "v0.13.2"
+        digest: "sha256:9e37c1296b802830834cc87342a9182ccbb71ffebb711971e849221bd9d59392"
         useDigest: true
         pullPolicy: "Always"
 

pkg/hubble/common/decoder_linux.go

@@ -7,7 +7,6 @@ import (
 	"github.com/cilium/cilium/api/v1/flow"
 	"github.com/cilium/cilium/pkg/identity"
 	ipc "github.com/cilium/cilium/pkg/ipcache"
-	"github.com/cilium/cilium/pkg/k8s"
 	"github.com/cilium/cilium/pkg/labels"
 )
 
@@ -18,15 +17,22 @@ type EpDecoder interface {
 	IsEndpointOnLocalHost(ip string) bool
 }
 
+type LabelCache interface {
+	// GetLabelsFromSecurityIdentity returns the labels for a given security identity.
+	GetLabelsFromSecurityIdentity(identity.NumericIdentity) []string
+}
+
 type epDecoder struct {
 	localHostIP string
 	ipcache     *ipc.IPCache
+	labelCache  LabelCache
 }
 
-func NewEpDecoder(c *ipc.IPCache) EpDecoder {
+func NewEpDecoder(c *ipc.IPCache, lc LabelCache) EpDecoder {
 	return &epDecoder{
 		localHostIP: os.Getenv("NODE_IP"),
 		ipcache:     c,
+		labelCache:  lc,
 	}
 }
 
@@ -54,7 +60,7 @@ func (e *epDecoder) Decode(ip netip.Addr) *flow.Endpoint {
 	case identity.ReservedIdentityWorld:
 		ep.Labels = labels.LabelWorld.GetModel()
 	default:
-		// TODO: We do not have an api on the ipcache to get the labels from the ip or identity.
+		ep.Labels = e.labelCache.GetLabelsFromSecurityIdentity(id.ID)
 	}
 
 	return ep
@@ -69,20 +75,3 @@ func (e *epDecoder) IsEndpointOnLocalHost(string) bool {
 type SvcDecoder interface {
 	Decode(ip netip.Addr) *flow.Service
 }
-
-type svcDecoder struct {
-	svccache k8s.ServiceCache
-}
-
-func NewSvcDecoder(sc k8s.ServiceCache) SvcDecoder {
-	return &svcDecoder{
-		svccache: sc,
-	}
-}
-
-func (s *svcDecoder) Decode(netip.Addr) *flow.Service {
-	svc := &flow.Service{}
-	// TODO: serviceCache from cilium do not have a way to get the service name
-	// and namespace from the ip. We need to add this to the serviceCache.
-	return svc
-}

pkg/hubble/parser/layer34/parser_linux.go

@@ -6,9 +6,9 @@ import (
 
 	"github.com/cilium/cilium/api/v1/flow"
 	ipc "github.com/cilium/cilium/pkg/ipcache"
-	"github.com/cilium/cilium/pkg/k8s"
 
 	"github.com/microsoft/retina/pkg/hubble/common"
+	"github.com/microsoft/retina/pkg/hubble/resources"
 	"github.com/microsoft/retina/pkg/utils"
 	"github.com/sirupsen/logrus"
 	"go.uber.org/zap"
@@ -20,11 +20,11 @@ type Parser struct {
 	epd common.EpDecoder
 }
 
-func New(l *logrus.Entry, svc k8s.ServiceCache, c *ipc.IPCache) *Parser {
+func New(l *logrus.Entry, svc *resources.ServiceReconciler, c *ipc.IPCache, labelCache common.LabelCache) *Parser {
 	p := &Parser{
 		l:   l.WithField("subsys", "layer34"),
-		svd: common.NewSvcDecoder(svc),
-		epd: common.NewEpDecoder(c),
+		svd: svc,
+		epd: common.NewEpDecoder(c, labelCache),
 	}
 	// Log the localHostIP for debugging purposes.
 	return p

pkg/hubble/parser/parser_linux.go

@@ -6,10 +6,14 @@ import (
 	"github.com/cilium/cilium/api/v1/flow"
 	v1 "github.com/cilium/cilium/pkg/hubble/api/v1"
 	observer "github.com/cilium/cilium/pkg/hubble/observer/types"
+	"github.com/cilium/cilium/pkg/hubble/parser"
 	ipc "github.com/cilium/cilium/pkg/ipcache"
-	"github.com/cilium/cilium/pkg/k8s"
+	"github.com/cilium/hive/cell"
+	"github.com/microsoft/retina/pkg/hubble/common"
 	"github.com/microsoft/retina/pkg/hubble/parser/layer34"
 	"github.com/microsoft/retina/pkg/hubble/parser/seven"
+	"github.com/microsoft/retina/pkg/hubble/resources"
+
 	"github.com/sirupsen/logrus"
 	"go.uber.org/zap"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -22,23 +26,30 @@ var (
 	errUnknownPayload = errors.New("unknown payload")
 )
 
+type Params struct {
+	cell.In
+
+	Logger            logrus.FieldLogger
+	ServiceReconciler *resources.ServiceReconciler
+	LabelCache        common.LabelCache
+
+	IPCache *ipc.IPCache
+}
+
 type Parser struct {
-	l       logrus.FieldLogger
-	ipcache *ipc.IPCache
-	svc     k8s.ServiceCache
+	l *logrus.Entry
 
 	l34 *layer34.Parser
 	l7  *seven.Parser
 }
 
-func New(l *logrus.Entry, svc k8s.ServiceCache, c *ipc.IPCache) *Parser {
+func New(params Params) parser.Decoder {
+	logger := params.Logger.WithField("subsys", "payloadparser")
 	return &Parser{
-		l:       l,
-		ipcache: c,
-		svc:     svc,
+		l: logger,
 
-		l34: layer34.New(l, svc, c),
-		l7:  seven.New(l, svc, c),
+		l34: layer34.New(logger, params.ServiceReconciler, params.IPCache, params.LabelCache),
+		l7:  seven.New(logger, params.ServiceReconciler, params.IPCache, params.LabelCache),
 	}
 }
 

pkg/hubble/parser/seven/parser_linux.go

@@ -7,9 +7,9 @@ import (
 
 	"github.com/cilium/cilium/api/v1/flow"
 	ipc "github.com/cilium/cilium/pkg/ipcache"
-	"github.com/cilium/cilium/pkg/k8s"
 	"github.com/google/gopacket/layers"
 	"github.com/microsoft/retina/pkg/hubble/common"
+	"github.com/microsoft/retina/pkg/hubble/resources"
 	"github.com/sirupsen/logrus"
 	"go.uber.org/zap"
 )
@@ -20,11 +20,11 @@ type Parser struct {
 	epd common.EpDecoder
 }
 
-func New(l *logrus.Entry, svc k8s.ServiceCache, c *ipc.IPCache) *Parser {
+func New(l *logrus.Entry, svc *resources.ServiceReconciler, c *ipc.IPCache, labelCache common.LabelCache) *Parser {
 	return &Parser{
 		l:   l.WithField("subsys", "seven"),
-		svd: common.NewSvcDecoder(svc),
-		epd: common.NewEpDecoder(c),
+		svd: svc,
+		epd: common.NewEpDecoder(c, labelCache),
 	}
 }
 

pkg/hubble/resources/cell_linux.go

@@ -0,0 +1,28 @@
+package resources
+
+import (
+	"github.com/cilium/hive/cell"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+var Cell = cell.Module(
+	"resources",
+	"Resources for Hubble",
+	cell.Provide(NewServiceReconciler),
+	cell.Provide(NewCiliumIdentityReconciler),
+	cell.Invoke(func(svc *ServiceReconciler, cid *CiliumIdentityReconciler, ctrlManager ctrl.Manager) error {
+		if err := svc.SetupWithManager(ctrlManager); err != nil {
+			svc.logger.Error("failed to setup service reconciler with manager", zap.Error(err))
+			return errors.Wrap(err, "failed to setup service reconciler with manager")
+		}
+		svc.logger.Info("Service reconciler setup completed")
+		if err := cid.SetupWithManager(ctrlManager); err != nil {
+			cid.logger.Error("failed to setup cilium identity reconciler with manager", zap.Error(err))
+			return errors.Wrap(err, "failed to setup cilium identity reconciler with manager")
+		}
+		cid.logger.Info("Cilium identity reconciler setup completed")
+		return nil
+	}),
+)