[BUG][LP#2032438] Restart cilium workloads when service-cidr changes (#…

…10)

* Patch Deployment and DaemonSet

* reblack, remove 1.12.13 since it has no effect yet

---------

Co-authored-by: Mateo <mateo.florido@canonical.com>

src/charm.py

@@ -117,6 +117,7 @@ def _configure_cilium(self, event):
     def _configure_cilium_cni(self, event):
         try:
             self.unit.status = MaintenanceStatus("Applying Cilium resources.")
+            self.cilium_manifests.service_cidr = self._get_service_cidr()
             self.cilium_manifests.apply_manifests()
         except (ManifestClientError, ConnectError):
             return self._ops_wait_for(
@@ -188,6 +189,12 @@ def _get_service_status(self, service_name):
         """Check if service is active, returns 0 on success, otherwise non-zero value."""
         return subprocess.call(["systemctl", "is-active", service_name])
 
+    def _get_service_cidr(self):
+        for relation in self.model.relations["cni"]:
+            for unit in relation.units:
+                if cidr := relation.data[unit].get("service-cidr"):
+                    return cidr
+
     def _install_cli_resources(self):
         self._manage_port_forward_service()
         try:

src/cilium_manifests.py

@@ -1,7 +1,9 @@
 """Implementation of Cilium Manifests manager."""
 
+import hashlib
+import json
 import logging
-from typing import Dict
+from typing import Dict, Optional
 
 from ops.manifests import ConfigRegistry, ManifestLabel, Manifests, Patch
 
@@ -95,6 +97,30 @@ def __call__(self, obj) -> None:
         data.update(values)
 
 
+class PatchCDKOnRelationChange(Patch):
+    """Patch Deployments/Daemonsets to be apart of cdk-restart-on-ca-change.
+
+    * adding the config hash as an annotation
+    * adding a cdk restart label
+    """
+
+    def __call__(self, obj) -> None:
+        """Modify the cilium-operator Deployment and cilium DaemonSet."""
+        if obj.kind not in ["Deployment", "DaemonSet"]:
+            return
+
+        title = f"{obj.kind}/{obj.metadata.name.title().replace('-', ' ')}"
+        log.info(f"Patching {title} cdk-restart-on-ca-changed label.")
+        label = {"cdk-restart-on-ca-change": "true"}
+        obj.metadata.labels = obj.metadata.labels or {}
+        obj.metadata.labels.update(label)
+
+        log.info(f"Adding hash to {title}.")
+        obj.spec.template.metadata.annotations = {
+            "juju.is/manifest-hash": self.manifests.config_hash
+        }
+
+
 class SetIPv4CIDR(Patch):
     """Configure IPv4 CIDR and Node Mask."""
 
@@ -111,10 +137,12 @@ def __call__(self, obj) -> None:
 class CiliumManifests(Manifests):
     """Deployment manager for the Cilium charm."""
 
-    def __init__(self, charm, charm_config, hubble_metrics):
+    def __init__(self, charm, charm_config, hubble_metrics, service_cidr: Optional[str] = None):
+        self.service_cidr = service_cidr
         manipulations = [
             ConfigRegistry(self),
             ManifestLabel(self),
+            PatchCDKOnRelationChange(self),
             PatchCiliumDaemonSetAnnotations(self),
             PatchCiliumOperatorAnnotations(self),
             PatchPrometheusConfigMap(self),
@@ -130,10 +158,23 @@ def __init__(self, charm, charm_config, hubble_metrics):
     def config(self) -> Dict:
         """Returns config mapped from charm config and joined relations."""
         config = dict(**self.charm_config)
+        config["service-cidr"] = self.service_cidr
 
         for key, value in dict(**config).items():
             if value == "" or value is None:
                 del config[key]
 
         config["release"] = config.pop("release", None)
         return config
+
+    @property
+    def config_hash(self) -> str:
+        """Return the configuration SHA256 hash from the charm config.
+
+        Returns:
+            str: The SHA256 hash
+        """
+        json_str = json.dumps(self.config, sort_keys=True)
+        hash = hashlib.sha256()
+        hash.update(json_str.encode())
+        return hash.hexdigest()