[41867] Part 3: Add subnet config watcher with stateDB and BPF map sync

[anubhabMajumdar]

Description

The motivation behind adding a new routing mode is discussed in this CFP .

Part-1 : #41868
Part-2 : #43631

This PR introduces subnet-to-identity mapping infrastructure in control plane to support hybrid
routing mode in Cilium. We introduce a StateDB for caching and reconciliation, with a
Kubernetes ConfigMap-driven configuration model. The stateDB data is sync'd to already introduce eBPF map.

Key Changes

This PR adds infrastructure for subnet-to-identity mapping in hybrid routing mode:

• Add RoutingModeHybrid constant to routing mode options
• Implement cilium_subnet_map under pkg/maps
  • Support for both IPv4 and IPv6 address families
  • SubnetMapKey/SubnetMapValue structures synced with bpf/lib/subnet.h
• Add subnet-identities StateDB table to cache subnet topology
  • Register reconciler to sync table entries to BPF map
  • Integration with maps cell module
• Implement subnet ConfigMap watcher in pkg/subnet
  • Parse and validate subnet configuration from ConfigMap
  • Automatic propagation of changes to StateDB
• Add script commands for map dumping and debugging

Testing Done

• Unit tests for BPF map key/value serialization and operations
• E2e script-based tests validating full flow: ConfigMap → StateDB → BPF map
• Verified subnet entry reconciliation and status tracking manually
• Tested both IPv4 and IPv6 subnet configurations

$ PRIVILEGED_TESTS=true go test -v -exec "sudo -E" ./pkg/subnet
=== RUN   TestPrivilegedScript
=== RUN   TestPrivilegedScript/subnet.txtar
...
--- PASS: TestPrivilegedScript (0.00s)
    --- PASS: TestPrivilegedScript/subnet.txtar (0.05s)
PASS
ok      github.com/cilium/cilium/pkg/subnet     0.092s

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

Fixes: #41867

[anubhabMajumdar]

Hey @gandro Thanks for your review on #41405 . I have incorporated all your feedback here. Would love to get your feedback on this PR. Thanks!

[julianwiedmann]

👋 mind addressing the test gaps in the datapath first, so that we can chase down bugs without needing the whole controlplane / e2e tests?

[anubhabMajumdar]

👋 mind addressing the test gaps in the datapath first, so that we can chase down bugs without needing the whole controlplane / e2e tests?

#43631 adds the bpf tests. Thanks!

[gandro]

Thanks! Overall looks okay to me, some minor things that I noticed in a first pass through.

[anubhabMajumdar]

@gandro Thanks for the review; addressed your comments and left one open for discussion.

[anubhabMajumdar]

/test

[anubhabMajumdar]

/test

[anubhabMajumdar]

/ci-gateway-api

[anubhabMajumdar]

/ci-ginkgo

[anubhabMajumdar]

The ci-ginkgo test seems to fail due to different reason unrelated to this change.

[smagnani96]

LGTM, thanks 💯
Left one conversation open just to make sure we're not causing disruptions.
(In case, I expect we will catch it in subsequent PRs where we will test this in CI).