[refactor] make BGP peer and secret management system event-driven

[aritrbas]

Summary

This PR refactors the BGP peer and secret management system from a tightly-coupled handler-based architecture to a loosely-coupled event-driven system.

Changes by Component

1. PeerWatcher (watchers/peers_watcher.go)

• Added local peer cache: cachedPeers map[string]calicov3.BGPPeer
• Added granular events:
  • PeerAdded - single new peer added
  • PeerUpdated - single existing peer updated
  • PeerDeleted - single existing peer deleted
  • PeersChanged - for initial state reconciliation only
• Updates SecretWatcher proactively on peer list changes
• Achieves O(1) cache lookups instead of O(N) API list calls

---

2. SecretWatcher (watchers/secret_watcher.go)

• Removed GetSecret() method (blocking) with events
• Removed SweepStale() method (replaced with OnPeerListUpdated)
• Emits granular events:
  • SecretAdded - new secret available
  • SecretChanged - existing secret modified
  • SecretDeleted - existing secret removed
• Proactive secret watching via OnPeerListUpdated() - starts watches when peers are added
• Automatic cleanup of stale secret watches when peers are deleted

---

3. PeerHandler (routing/peer_handler.go)

• Added local secret cache: secretCache map[string]map[string]string
• Added granular peer event handlers:
  • OnPeerAdded(peer) - O(1) processing for single peer
  • OnPeerUpdated(old, new) - O(1) diff and update
  • OnPeerDeleted(peer) - O(1) removal
• Added granular secret event handlers:
  • OnSecretAdded(secretData) - cache secret locally
  • OnSecretChanged(secretName) - mark affected peers for update
  • OnSecretDeleted(secretName) - remove from cache
• Added ProcessPeers() for initial reconciliation only

---

4. FelixServer (felix/felix_server.go)

• Registered for new event types: PeersChanged, PeerAdded, PeerUpdated, PeerDeleted, SecretAdded, SecretChanged, SecretDeleted
• Acts as an event coordinator (no business logic); routes events to appropriate PeerHandler methods

---

Made the changes on top of the nsk-split-svc branch for now, will rebase on top of master once those commits for single thread agent are merged.

[sknat]

Many thanks for taking a stab at this !
A couple comments inline, I think there is still room for more untangling of the logic.
Tell me if anything sounds unclear

[sknat]

Instead of passing a handler here, could we emit events ?
i.e.

felixServer.GetFelixServerEventChan() <- &common.ProcessPeers{peers.Items}

and in the felixServer main loop explicitly calling handlers

func (s *Server) handleFelixServerEvents(msg interface{}) (err error) {
...
case *common.ProcessPeers:
		s.peerHandler.ProcessPeers(evt)

[sknat]

This would then be an event

[sknat]

Same thing here, we could make OnSecretChanged be an event,
that way we wouldn't have to keep a reference to the handler here

[sknat]

I think this shouldn't be needed anymore :
Before it was more convenient to call resyncPeers() as this was doing both scanning, and constituting the local cache of Peers+Secrets.
But now that the reconstitution is done in the handlers, we can do everything there, and maybe call the same code in both cases (peerChanged & secretChanged)

[sknat]

If we rely on the fact that the peerWatcher does not need to be informed when the secret changes, and we make a common.OnSecretChanged towards the felix server, we could remove the need to have keep a sw.handler reference.

We could simply

eventChan <- &common.OnSecretChanged{...}

[sknat]

We could probably remove the reference to the secretWatcher by adding a secret store in the peerHandler. We could create events emitted by the secretWatcher

common.SecretAdded{...}
common.SecretDelete{...}

that would be received in the felixServer event loop,
call felix.peerHandler.OnSecret{Added,Deleted}(evt)
which would update a local cache map.

Below h.secretWatcher.GetSecret(secretName, secretKey) just becomes a lookup in the map in question

[sknat]

I think for simplicity, if we remove the need for handler's registration by introducing events
we could instantiate the secretWatcher directly here
i.e.

secretWatcher: watchers.NewSecretWatcher(k8sclient, log.WithFields(logrus.Fields{"component": "secret-watcher"}))

[sknat]

Could we make this w.secretWatcher.OnPeerListUpdated(peers.Items) and have the sweep logic in the secret watcher ?

[sknat]

Following on the comment above, we could directly start watching for secrets when OnPeerListUpdated() is called with a new Peer that has secrets attached.

And emit events when we receive the secret's contents.

[sknat]

Now that we have an isolated watcher, we could implement the watch logic :

• we would cache the list of peers locally on the peerWatcher
• when update/delete/create happens, we update the list, and send a copy as an event over the eventChan

We only resort to listing again if an error happens

[sknat]

Further simplification would be to send separated events for ADD/DEL/UPD over the eventchan, but this will require changing the handler's logic which might be beyond the scope of this PR