Add configuration toggle to enable FlowExporter (#5021)

1. Non-backwards compatible changes to the Helm chart: a. Change name flowCollector to flowExporter. b. FlowExporter-related values have all been moved under the flowExporter dictionary. 2. Add changes to the Antrea Agent config: FlowExporter-related fields are now grouped under the flowExporter key. Previous parameters are still supported but are considered deprecated, and will be removed in a future release. 3. Update network-flow-visibility.md Signed-off-by: Yun-Tang Hsu <[email protected]>
antrea-io · May 31, 2023 · 7688240 · 7688240
1 parent 141224a
commit 7688240
Show file tree

Hide file tree

Showing 13 changed files with 381 additions and 276 deletions.
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -71,10 +71,11 @@ Kubernetes: `>= 1.16.0-0`
 | egress.maxEgressIPsPerNode | int | `255` | The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255. |
 | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
 | featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. |
-| flowCollector.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
-| flowCollector.collectorAddr | string | `"flow-aggregator/flow-aggregator:4739:tls"` | IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>]. If the collector is running in-cluster as a Service, set <HOST> to <Service namespace>/<Service name>. |
-| flowCollector.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. |
-| flowCollector.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |
+| flowExporter.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
+| flowExporter.enable | bool | `false` | Enable the flow exporter feature. |
+| flowExporter.flowCollectorAddr | string | `"flow-aggregator/flow-aggregator:4739:tls"` | IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>]. If the collector is running in-cluster as a Service, set <HOST> to <Service namespace>/<Service name>. |
+| flowExporter.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. |
+| flowExporter.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |
 | hostGateway | string | `"antrea-gw0"` | Name of the interface antrea-agent will create and use for host <-> Pod communication. |
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"antrea/antrea-ubuntu","tag":""}` | Container image to use for Antrea components. |
 | ipsec.authenticationMode | string | `"psk"` | The authentication mode to use for IPsec. Must be one of "psk" or "cert". |

diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -193,37 +193,46 @@ apiPort: {{ .Values.agent.apiPort }}
 # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
 enablePrometheusMetrics: {{ .Values.agent.enablePrometheusMetrics }}
 
-# Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-# HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
-# using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
-# wrapped with []. When the collector is running in-cluster as a Service, set
-# <HOST> to <Service namespace>/<Service name>. For example,
-# "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
-# Flow Aggregator Service.
-# If PORT is empty, we default to 4739, the standard IPFIX port.
-# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
-# "udp" protocols. "tls" is used for securing communication between flow exporter and
-# flow aggregator.
-flowCollectorAddr: {{ .Values.flowCollector.collectorAddr | quote }}
-
-# Provide flow poll interval as a duration string. This determines how often the
-# flow exporter dumps connections from the conntrack module. Flow poll interval
-# should be greater than or equal to 1s (one second).
-# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-flowPollInterval: {{ .Values.flowCollector.flowPollInterval | quote }}
-
-# Provide the active flow export timeout, which is the timeout after which a flow
-# record is sent to the collector for active flows. Thus, for flows with a continuous
-# stream of packets, a flow record will be exported to the collector once the elapsed
-# time since the last export event is equal to the value of this timeout.
-# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-activeFlowExportTimeout: {{ .Values.flowCollector.activeFlowExportTimeout | quote }}
-
-# Provide the idle flow export timeout, which is the timeout after which a flow
-# record is sent to the collector for idle flows. A flow is considered idle if no
-# packet matching this flow has been observed since the last export event.
-# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-idleFlowExportTimeout: {{ .Values.flowCollector.idleFlowExportTimeout | quote }}
+
+flowExporter:
+  {{- with .Values.flowExporter }}
+  # Enable FlowExporter, a feature used to export polled conntrack connections as
+  # IPFIX flow records from each agent to a configured collector. To enable this
+  # feature, you need to set "enable" to true, and ensure that the FlowExporter
+  # feature gate is also enabled.
+  enable: {{ .enable }}
+  # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
+  # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
+  # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
+  # wrapped with []. When the collector is running in-cluster as a Service, set
+  # <HOST> to <Service namespace>/<Service name>. For example,
+  # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
+  # Flow Aggregator Service.
+  # If PORT is empty, we default to 4739, the standard IPFIX port.
+  # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+  # "udp" protocols. "tls" is used for securing communication between flow exporter and
+  # flow aggregator.
+  flowCollectorAddr: {{ .flowCollectorAddr | quote }}
+
+  # Provide flow poll interval as a duration string. This determines how often the
+  # flow exporter dumps connections from the conntrack module. Flow poll interval
+  # should be greater than or equal to 1s (one second).
+  # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+  flowPollInterval: {{ .flowPollInterval | quote }}
+
+  # Provide the active flow export timeout, which is the timeout after which a flow
+  # record is sent to the collector for active flows. Thus, for flows with a continuous
+  # stream of packets, a flow record will be exported to the collector once the elapsed
+  # time since the last export event is equal to the value of this timeout.
+  # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+  activeFlowExportTimeout: {{ .activeFlowExportTimeout | quote }}
+
+  # Provide the idle flow export timeout, which is the timeout after which a flow
+  # record is sent to the collector for idle flows. A flow is considered idle if no
+  # packet matching this flow has been observed since the last export event.
+  # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+  idleFlowExportTimeout: {{ .idleFlowExportTimeout | quote }}
+{{- end }}
 
 nodePortLocal:
 {{- with .Values.nodePortLocal }}

diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -298,11 +298,13 @@ controller:
       requests:
         cpu: "200m"
 
-flowCollector:
+flowExporter:
+  # -- Enable the flow exporter feature.
+  enable: false
   # -- IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
   # If the collector is running in-cluster as a Service, set <HOST> to
   # <Service namespace>/<Service name>.
-  collectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
+  flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
   # -- Determines how often the flow exporter polls for new connections.
   flowPollInterval: "5s"
   # -- timeout after which a flow record is sent to the collector for active

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -3159,37 +3159,44 @@ data:
     # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
     enablePrometheusMetrics: true
 
-    # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-    # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
-    # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
-    # wrapped with []. When the collector is running in-cluster as a Service, set
-    # <HOST> to <Service namespace>/<Service name>. For example,
-    # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
-    # Flow Aggregator Service.
-    # If PORT is empty, we default to 4739, the standard IPFIX port.
-    # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
-    # "udp" protocols. "tls" is used for securing communication between flow exporter and
-    # flow aggregator.
-    flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
 
-    # Provide flow poll interval as a duration string. This determines how often the
-    # flow exporter dumps connections from the conntrack module. Flow poll interval
-    # should be greater than or equal to 1s (one second).
-    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-    flowPollInterval: "5s"
+    flowExporter:
+      # Enable FlowExporter, a feature used to export polled conntrack connections as
+      # IPFIX flow records from each agent to a configured collector. To enable this
+      # feature, you need to set "enable" to true, and ensure that the FlowExporter
+      # feature gate is also enabled.
+      enable: false
+      # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
+      # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
+      # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
+      # wrapped with []. When the collector is running in-cluster as a Service, set
+      # <HOST> to <Service namespace>/<Service name>. For example,
+      # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
+      # Flow Aggregator Service.
+      # If PORT is empty, we default to 4739, the standard IPFIX port.
+      # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+      # "udp" protocols. "tls" is used for securing communication between flow exporter and
+      # flow aggregator.
+      flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
 
-    # Provide the active flow export timeout, which is the timeout after which a flow
-    # record is sent to the collector for active flows. Thus, for flows with a continuous
-    # stream of packets, a flow record will be exported to the collector once the elapsed
-    # time since the last export event is equal to the value of this timeout.
-    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-    activeFlowExportTimeout: "5s"
+      # Provide flow poll interval as a duration string. This determines how often the
+      # flow exporter dumps connections from the conntrack module. Flow poll interval
+      # should be greater than or equal to 1s (one second).
+      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+      flowPollInterval: "5s"
 
-    # Provide the idle flow export timeout, which is the timeout after which a flow
-    # record is sent to the collector for idle flows. A flow is considered idle if no
-    # packet matching this flow has been observed since the last export event.
-    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-    idleFlowExportTimeout: "15s"
+      # Provide the active flow export timeout, which is the timeout after which a flow
+      # record is sent to the collector for active flows. Thus, for flows with a continuous
+      # stream of packets, a flow record will be exported to the collector once the elapsed
+      # time since the last export event is equal to the value of this timeout.
+      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+      activeFlowExportTimeout: "5s"
+
+      # Provide the idle flow export timeout, which is the timeout after which a flow
+      # record is sent to the collector for idle flows. A flow is considered idle if no
+      # packet matching this flow has been observed since the last export event.
+      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+      idleFlowExportTimeout: "15s"
 
     nodePortLocal:
     # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
@@ -4364,7 +4371,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7b3f20e4be884c2def359ef222cf07498761ff76b66e893d9afa325761354c9f
+        checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65
       labels:
         app: antrea
         component: antrea-agent
@@ -4605,7 +4612,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7b3f20e4be884c2def359ef222cf07498761ff76b66e893d9afa325761354c9f
+        checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -3159,37 +3159,44 @@ data:
     # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
     enablePrometheusMetrics: true
 
-    # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
-    # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
-    # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
-    # wrapped with []. When the collector is running in-cluster as a Service, set
-    # <HOST> to <Service namespace>/<Service name>. For example,
-    # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
-    # Flow Aggregator Service.
-    # If PORT is empty, we default to 4739, the standard IPFIX port.
-    # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
-    # "udp" protocols. "tls" is used for securing communication between flow exporter and
-    # flow aggregator.
-    flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
 
-    # Provide flow poll interval as a duration string. This determines how often the
-    # flow exporter dumps connections from the conntrack module. Flow poll interval
-    # should be greater than or equal to 1s (one second).
-    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-    flowPollInterval: "5s"
+    flowExporter:
+      # Enable FlowExporter, a feature used to export polled conntrack connections as
+      # IPFIX flow records from each agent to a configured collector. To enable this
+      # feature, you need to set "enable" to true, and ensure that the FlowExporter
+      # feature gate is also enabled.
+      enable: false
+      # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
+      # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
+      # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
+      # wrapped with []. When the collector is running in-cluster as a Service, set
+      # <HOST> to <Service namespace>/<Service name>. For example,
+      # "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
+      # Flow Aggregator Service.
+      # If PORT is empty, we default to 4739, the standard IPFIX port.
+      # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+      # "udp" protocols. "tls" is used for securing communication between flow exporter and
+      # flow aggregator.
+      flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
 
-    # Provide the active flow export timeout, which is the timeout after which a flow
-    # record is sent to the collector for active flows. Thus, for flows with a continuous
-    # stream of packets, a flow record will be exported to the collector once the elapsed
-    # time since the last export event is equal to the value of this timeout.
-    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-    activeFlowExportTimeout: "5s"
+      # Provide flow poll interval as a duration string. This determines how often the
+      # flow exporter dumps connections from the conntrack module. Flow poll interval
+      # should be greater than or equal to 1s (one second).
+      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+      flowPollInterval: "5s"
 
-    # Provide the idle flow export timeout, which is the timeout after which a flow
-    # record is sent to the collector for idle flows. A flow is considered idle if no
-    # packet matching this flow has been observed since the last export event.
-    # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-    idleFlowExportTimeout: "15s"
+      # Provide the active flow export timeout, which is the timeout after which a flow
+      # record is sent to the collector for active flows. Thus, for flows with a continuous
+      # stream of packets, a flow record will be exported to the collector once the elapsed
+      # time since the last export event is equal to the value of this timeout.
+      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+      activeFlowExportTimeout: "5s"
+
+      # Provide the idle flow export timeout, which is the timeout after which a flow
+      # record is sent to the collector for idle flows. A flow is considered idle if no
+      # packet matching this flow has been observed since the last export event.
+      # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+      idleFlowExportTimeout: "15s"
 
     nodePortLocal:
     # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
@@ -4364,7 +4371,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7b3f20e4be884c2def359ef222cf07498761ff76b66e893d9afa325761354c9f
+        checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65
       labels:
         app: antrea
         component: antrea-agent
@@ -4606,7 +4613,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7b3f20e4be884c2def359ef222cf07498761ff76b66e893d9afa325761354c9f
+        checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65
       labels:
         app: antrea
         component: antrea-controller