Configure packefilter driver via ConfigMap setting

Signed-off-by: Tom Pantelis <[email protected]>

Author: tpantelis

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/projectcalico/api v0.0.0-20230602153125-fb7148692637
 	github.com/prometheus-community/pro-bing v0.6.1
 	github.com/prometheus/client_golang v1.21.0
-	github.com/submariner-io/admiral v0.21.0-m0
+	github.com/submariner-io/admiral v0.21.0-m0.0.20250310100633-0c3e8c111df1
 	github.com/submariner-io/shipyard v0.21.0-m0
 	github.com/vishvananda/netlink v1.3.0
 	golang.org/x/net v0.35.0

go.sum

@@ -441,8 +441,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/submariner-io/admiral v0.21.0-m0 h1:KKni3XSZDxXzGwhsqVza3z634TfUCnrLhuz81S3cdeo=
-github.com/submariner-io/admiral v0.21.0-m0/go.mod h1:vgTpeAcKCgVXHJeDQErVglJCKP8Ng5vJQglZqucIcWA=
+github.com/submariner-io/admiral v0.21.0-m0.0.20250310100633-0c3e8c111df1 h1:Esl5Hyt4pCyW5f/fnv2Q3EyDoQVx6fzS0wfjqi1NRuI=
+github.com/submariner-io/admiral v0.21.0-m0.0.20250310100633-0c3e8c111df1/go.mod h1:vgTpeAcKCgVXHJeDQErVglJCKP8Ng5vJQglZqucIcWA=
 github.com/submariner-io/shipyard v0.21.0-m0 h1:5xVQ5yyEN3mlpcl23nfiG2rr1vkKlDu2imyRGa8sN9c=
 github.com/submariner-io/shipyard v0.21.0-m0/go.mod h1:JQ65yiYy8r/B6thPkG1QW/AgDtXoL0lw7fylzfIjG08=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=

pkg/globalnet/main.go

@@ -25,18 +25,19 @@ import (
 	"time"
 
 	"github.com/kelseyhightower/envconfig"
+	"github.com/submariner-io/admiral/pkg/configmap"
 	"github.com/submariner-io/admiral/pkg/http"
 	"github.com/submariner-io/admiral/pkg/log"
 	"github.com/submariner-io/admiral/pkg/log/kzerolog"
 	"github.com/submariner-io/admiral/pkg/names"
+	"github.com/submariner-io/admiral/pkg/resource"
 	"github.com/submariner-io/admiral/pkg/util"
 	admversion "github.com/submariner-io/admiral/pkg/version"
 	submarinerv1 "github.com/submariner-io/submariner/pkg/apis/submariner.io/v1"
 	"github.com/submariner-io/submariner/pkg/cidr"
 	submarinerClientset "github.com/submariner-io/submariner/pkg/client/clientset/versioned"
 	"github.com/submariner-io/submariner/pkg/globalnet/controllers"
-	"github.com/submariner-io/submariner/pkg/packetfilter"
-	"github.com/submariner-io/submariner/pkg/packetfilter/iptables"
+	pfconfigure "github.com/submariner-io/submariner/pkg/packetfilter/configure"
 	"github.com/submariner-io/submariner/pkg/versions"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/dynamic"
@@ -86,8 +87,14 @@ func main() {
 	dynClient, err := dynamic.NewForConfig(cfg)
 	logger.FatalOnError(err, "Unable to create dynamic client")
 
-	// Set packetfilter driver to iptables. Once nftables is available, we'll check which driver is supported.
-	packetfilter.SetNewDriverFn(iptables.New)
+	// set up signals so we handle the first shutdown signal gracefully
+	ctx := signals.SetupSignalHandler()
+
+	globalConfigMap, err := configmap.Get(ctx, resource.ForConfigMap(k8sClient, spec.Namespace), configmap.Global)
+	logger.FatalOnError(err, "Error retrieving the global ConfigMap")
+
+	err = pfconfigure.DriverFromConfigMap(globalConfigMap)
+	logger.FatalOnError(err, "Error configuring packet filter driver")
 
 	if spec.Uninstall {
 		logger.Info("Uninstalling submariner-globalnet")
@@ -100,9 +107,6 @@ func main() {
 
 	logger.Info("Starting submariner-globalnet", spec)
 
-	// set up signals so we handle the first shutdown signal gracefully
-	ctx := signals.SetupSignalHandler()
-
 	defer http.StartServer(http.Metrics|http.Profile, spec.MetricsPort)()
 
 	err = mcsv1a1.AddToScheme(scheme.Scheme)

pkg/packetfilter/configure/configure.go

@@ -0,0 +1,60 @@
+/*
+SPDX-License-Identifier: Apache-2.0
+
+Copyright Contributors to the Submariner project.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package configure
+
+import (
+	"strconv"
+
+	"github.com/pkg/errors"
+	"github.com/submariner-io/admiral/pkg/log"
+	"github.com/submariner-io/submariner/pkg/packetfilter"
+	"github.com/submariner-io/submariner/pkg/packetfilter/iptables"
+	"github.com/submariner-io/submariner/pkg/packetfilter/nftables"
+	corev1 "k8s.io/api/core/v1"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+const UseNftablesKey = "use-nftables"
+
+var logger = log.Logger{Logger: logf.Log.WithName("Packetfilter")}
+
+func DriverFromConfigMap(cm *corev1.ConfigMap) error {
+	useNftables := false
+
+	if cm != nil {
+		if value, ok := cm.Data[UseNftablesKey]; ok {
+			var err error
+
+			useNftables, err = strconv.ParseBool(value)
+			if err != nil {
+				return errors.Wrapf(err, "unable to parse %q from ConfigMap %q", UseNftablesKey, cm.Name)
+			}
+		}
+	}
+
+	if useNftables {
+		logger.Info("Using nftables packet filter driver")
+		packetfilter.SetNewDriverFn(nftables.New)
+	} else {
+		logger.Info("Using iptables packet filter driver")
+		packetfilter.SetNewDriverFn(iptables.New)
+	}
+
+	return nil
+}

pkg/packetfilter/configure/configure_suite_test.go

@@ -0,0 +1,119 @@
+/*
+SPDX-License-Identifier: Apache-2.0
+
+Copyright Contributors to the Submariner project.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package configure_test
+
+import (
+	"fmt"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/submariner-io/submariner/pkg/packetfilter"
+	"github.com/submariner-io/submariner/pkg/packetfilter/configure"
+	"github.com/submariner-io/submariner/pkg/packetfilter/iptables"
+	"github.com/submariner-io/submariner/pkg/packetfilter/nftables"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type DriverType int
+
+const (
+	IPTables DriverType = iota
+	NfTables
+)
+
+const defaultDriver = IPTables
+
+var _ = Describe("DriverFromConfigMap", func() {
+	var cm *corev1.ConfigMap
+
+	BeforeEach(func() {
+		cm = &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "config",
+			},
+			Data: map[string]string{},
+		}
+	})
+
+	When(configure.UseNftablesKey+" key is present", func() {
+		Context("and set to true", func() {
+			It("should set the nftables driver", func() {
+				cm.Data[configure.UseNftablesKey] = "true"
+				Expect(configure.DriverFromConfigMap(cm)).To(Succeed())
+				verifyDriverFn(NfTables)
+			})
+		})
+
+		Context("and set to false", func() {
+			It("should set the iptables driver", func() {
+				cm.Data[configure.UseNftablesKey] = "false"
+				Expect(configure.DriverFromConfigMap(cm)).To(Succeed())
+				verifyDriverFn(IPTables)
+			})
+		})
+	})
+
+	When(configure.UseNftablesKey+" key is not present", func() {
+		It("should set the default driver", func() {
+			Expect(configure.DriverFromConfigMap(cm)).To(Succeed())
+			verifyDriverFn(defaultDriver)
+		})
+	})
+
+	When("the Data map is nil", func() {
+		It("should set the default driver", func() {
+			cm.Data = nil
+			Expect(configure.DriverFromConfigMap(cm)).To(Succeed())
+			verifyDriverFn(defaultDriver)
+		})
+	})
+
+	When(configure.UseNftablesKey+" key value is invalid", func() {
+		It("should return an error", func() {
+			cm.Data[configure.UseNftablesKey] = "bogus"
+			Expect(configure.DriverFromConfigMap(cm)).ToNot(Succeed())
+		})
+	})
+
+	When("the ConfigMap is nil", func() {
+		It("should set the default driver", func() {
+			Expect(configure.DriverFromConfigMap(nil)).To(Succeed())
+			verifyDriverFn(defaultDriver)
+		})
+	})
+})
+
+func verifyDriverFn(dType DriverType) {
+	fnValue := func(v interface{}) string {
+		return fmt.Sprintf("%v", v)
+	}
+
+	if dType == NfTables {
+		Expect(fnValue(packetfilter.GetNewDriverFn())).To(Equal(fnValue(nftables.New)))
+	} else {
+		Expect(fnValue(packetfilter.GetNewDriverFn())).To(Equal(fnValue(iptables.New)))
+	}
+}
+
+func TestConfigure(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Configure Suite")
+}

pkg/packetfilter/packetfilter.go

@@ -308,16 +308,22 @@ type Interface interface {
 	UpdateChainRules(table TableType, chain string, rules []*Rule) error
 }
 
+type DriverFn func() (Driver, error)
+
 var (
-	newDriverFn   func() (Driver, error)
-	newDriverFnV6 func() (Driver, error)
+	newDriverFn   DriverFn
+	newDriverFnV6 DriverFn
 )
 
-func SetNewDriverFn(f func() (Driver, error)) {
+func SetNewDriverFn(f DriverFn) {
 	newDriverFn = f
 }
 
-func SetNewDriverFnV6(f func() (Driver, error)) {
+func GetNewDriverFn() DriverFn {
+	return newDriverFn
+}
+
+func SetNewDriverFnV6(f DriverFn) {
 	newDriverFnV6 = f
 }
 

pkg/routeagent_driver/main.go

@@ -27,21 +27,22 @@ import (
 
 	"github.com/kelseyhightower/envconfig"
 	"github.com/pkg/errors"
+	"github.com/submariner-io/admiral/pkg/configmap"
 	"github.com/submariner-io/admiral/pkg/http"
 	"github.com/submariner-io/admiral/pkg/log"
 	"github.com/submariner-io/admiral/pkg/log/kzerolog"
 	"github.com/submariner-io/admiral/pkg/names"
+	"github.com/submariner-io/admiral/pkg/resource"
 	"github.com/submariner-io/admiral/pkg/util"
 	admversion "github.com/submariner-io/admiral/pkg/version"
 	"github.com/submariner-io/admiral/pkg/watcher"
 	v1 "github.com/submariner-io/submariner/pkg/apis/submariner.io/v1"
 	submarinerClientset "github.com/submariner-io/submariner/pkg/client/clientset/versioned"
-	cni "github.com/submariner-io/submariner/pkg/cni"
+	"github.com/submariner-io/submariner/pkg/cni"
 	"github.com/submariner-io/submariner/pkg/event"
 	"github.com/submariner-io/submariner/pkg/event/controller"
 	"github.com/submariner-io/submariner/pkg/node"
-	packetfilter "github.com/submariner-io/submariner/pkg/packetfilter"
-	iptables "github.com/submariner-io/submariner/pkg/packetfilter/iptables"
+	pfconfigure "github.com/submariner-io/submariner/pkg/packetfilter/configure"
 	"github.com/submariner-io/submariner/pkg/routeagent_driver/cabledriver"
 	"github.com/submariner-io/submariner/pkg/routeagent_driver/environment"
 	"github.com/submariner-io/submariner/pkg/routeagent_driver/handlers/calico"
@@ -111,8 +112,11 @@ func main() {
 	restMapper, err := util.BuildRestMapper(cfg)
 	logger.FatalOnError(err, "Error building the REST mapper")
 
-	// Set packetfilter driver to iptables. Once nftables is available, we'll check which driver is supported.
-	packetfilter.SetNewDriverFn(iptables.New)
+	globalConfigMap, err := configmap.Get(ctx, resource.ForConfigMap(k8sClientSet, env.Namespace), configmap.Global)
+	logger.FatalOnError(err, "Error retrieving the global ConfigMap")
+
+	err = pfconfigure.DriverFromConfigMap(globalConfigMap)
+	logger.FatalOnError(err, "Error configuring packet filter driver")
 
 	np := os.Getenv("SUBMARINER_NETWORKPLUGIN")