bpfman-operator: Support Load/Attach Split

[anfredette]

This commit introduces support for bpfman’s load-attach split from bpfman PR
#1354 and includes major
refactoring and CRD changes to align with this new model.

Key Changes:

• Remove "*Program" CRDs and related code in favor of the BpfApplication CRD,
  which can contain multiple eBPF programs.
• Replace BpfProgram CRD with BpfApplicationState, which stores per-node state
  information for all eBPF programs in a BpfApplication.
• Rename CRDs for better alignment with Kubernetes conventions:
  • BpfApplication => ClusterBpfApplication (Cluster-scoped)
  • BpfNsApplication => BpfApplication (Namespace-scoped)
• The BpfApplication CRDs have been modified to include an optional list of
  attach points for each program, enabling pre-loading programs before
  attachment and supporting dynamic attachment updates.
• Redesign the bpfman-agent controller to natively support BpfApplications.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 740 lines in your changes missing coverage. Please review.

Please upload report for BASE (main@adda074). Learn more about missing BASE report.
Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
apis/v1alpha1/zz_generated.deepcopy.go	0.00%	651 Missing ⚠️
apis/v1alpha1/shared_types.go	0.00%	34 Missing ⚠️
cmd/bpfman-operator/main.go	0.00%	16 Missing ⚠️
apis/v1alpha1/bpf_application_state_types.go	0.00%	14 Missing ⚠️
...is/v1alpha1/cluster_bpf_application_state_types.go	0.00%	14 Missing ⚠️
apis/v1alpha1/zz_generated.register.go	0.00%	6 Missing ⚠️
cmd/bpfman-agent/main.go	0.00%	5 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #347   +/-   ##
=======================================
  Coverage        ?   31.27%           
=======================================
  Files           ?       66           
  Lines           ?     7630           
  Branches        ?        0           
=======================================
  Hits            ?     2386           
  Misses          ?     5028           
  Partials        ?      216           

Flag	Coverage Δ
unittests	31.27% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[anfredette]

All of the examples will need to be updated with the new CRD format before the Kubernetes integration tests will pass.

[mergify]

@anfredette, this pull request is now in conflict and requires a rebase.

[mergify]

@anfredette, this pull request is now in conflict and requires a rebase.

[mergify]

@anfredette, this pull request is now in conflict and requires a rebase.

[anfredette]

This is still a WIP, but it's working for cluster-scoped XDP programs.

Here's a sample of the kubectl output from installing and deleting an XDP program:
https://gist.github.com/anfredette/4433aaa58518db5d4d14ed2bf4218f55

If you're looking at the code, the new operator and agent code is in the app-operator and app-agent directories, while the old code is still in bpfman-operator and bpfman-agent. I plan to eventually delete the old directories and rename the new ones, but I'm keeping the old code around for comparison and to pull from as needed.

[mergify]

@anfredette, this pull request is now in conflict and requires a rebase.

[mergify]

@anfredette, this pull request is now in conflict and requires a rebase.

[dave-tucker]

Some feedback on the API. The naming comments we can probably handle in a follow up as this API change isn't going to be backwards compatible anyway.
We should however fix the fentry/fexit and preferably drop type: Xdp before merge IMHO

[dave-tucker]

We agreed this would be BpfApplication and ClusterBpfApplication
But IIRC we wanted to get Billy's change in first before we changed the naming since this API change is the breaking one.

[anfredette]

Done

[dave-tucker]

So this would then be ClusterBpfApplicationState

[anfredette]

Done

[dave-tucker]

I really don't like bpffunctioname. It should either be bpfFunctionName or just functionName since we're in a Bpf CRD.. or hey, even just function

[anfredette]

We made it "bpffunctionname" after much discussion a while back when we started using the bpf function name instead of a name defined in the section declaration. We also wanted to disambiguate this function name from the name of the function that some bpf programs attach to.

That said, I don't like it either :-). I changed "bpfunctionname" to just "name", and the "func_name" and "function_name" to just "function".

[dave-tucker]

Just wondering, is case significant here? It seems to me that kprobe or KPROBE or Kprobe should probably work. I'd prefer to use the lowercase version.

[anfredette]

Yes and no. Left unchecked, I don't think Kubernetes would care, but it is case sensitive in that kubernetes passes these values through to the controller code in the case that the user enters them. However, we also have validation logic that only allows one case, so in our case (no pun intended) it is case sensitive. If we wanted to support case insensitivity, we'd have to handle it in our code.

I made everything lower case. We can disuss whether to use camelCase instead.

[dave-tucker]

Do we need to expose type here?
It can be inferred based on which of the optional fields are set so it seems redundant

[anfredette]

This is implemented this as union, and Type is the "unionDiscriminator". This tells us which of the "unionMembers" will be populated, and validation logic ensures that if the Type is X, the program info for X is populated. @msherif1234 used this pattern for the original BpfApplication CRD. There may be another way to implement the API, but this works.

[dave-tucker]

I think this should be links as we're expressing desired state.
The verb might be attach, but we're expecting links in the end.

[anfredette]

Done

[dave-tucker]

👀 inconsistent rules re: casing. k8s CRDs are supposed to be camelCase

[anfredette]

Is the JSON representation supposed to be camelCase?

[dave-tucker]

as above: funcName

[anfredette]

It's now just function

[dave-tucker]

interfaceSelector. I'm not going to comment on this anymore.
We seriously need to take a pass through the API to fix the inconsistencies.
We can do that in this PR, or later

[dave-tucker]

Suggested change

	- bpffunctionname: fentry_test
	type: Fentry
	fentry:
	function_name: do_unlinkat
	attach: true
	- function: fentry_test
	fentry:
	links:
	- function_name: do_unlinkat

This shouldn't deviate from the pattern in the other program types.
The fact we need the fn_name for load() and we can only attach it to one place are implementation details we shouldn't be exposing in the API.

[anfredette]

Fentry and Fexit now follow the same pattern (mostly).

[mergify]

@anfredette, this pull request is now in conflict and requires a rebase.

[msherif1234]

not sure about renaming the agent files with cl is that for clusterscope ?

[msherif1234]

I don't know why u deleted the kproberet and uproberet program types ?

[anfredette]

They weren't being used.

[msherif1234]

we no longer have an object called BpfProgram so we should avoid using it everywhere in code and comments

[anfredette]

I got rid of a lot of it, but there's still more work to do.

[msherif1234]

nit no need to check the len range will handle that

[anfredette]

Done.

[anfredette]

not sure about renaming the agent files with cl is that for clusterscope ?

Yes. I was planning to rename things as follows:
cluster-scoped related files: cl_*
namespace-scoped related files: ns_*