Verify the status of required routes gateway periodically

[hty690]

Add checks to the routeClient. The required routes will be added back if they were
deleted unexpectedly. Add IP configuration check of the gateway to the agent.
An integration test is added to verify that the route will be added back correctly.

Fixes #627

[tnqn]

Please use upper cases for "IP", so do other places in this patch

[tnqn]

The nested loop is O(n^2), which may be bad in a cluster of thousands of nodes, especially when there are many other unknown routes configured on the node.
could you optimize it to O(n) by using a map?

[tnqn]

It's not very maintainable that the gw IP is configured in other place but resynced here and the module doesn't sound proper to manage the IP. Could you move it to the place where the gwIP was first configured by starting a goroutine there?

[tnqn]

please add license header

[tnqn]

I think networkpolicyonly mode shouldn't call this, why don't just start a goroutine calling util.ConfigureLinkAddresses after it's first called?

[tnqn]

Could this handling just be in the loop of c.nodeRoutes.Range? It doesn't seem necessary to construct a slice first

[tnqn]

please remove this

[codecov-io]

Codecov Report

Merging #2091 (808637f) into main (b88f39e) will increase coverage by 0.01%.
The diff coverage is 67.64%.

@@            Coverage Diff             @@
##             main    #2091      +/-   ##
==========================================
+ Coverage   61.05%   61.07%   +0.01%     
==========================================
  Files         270      270              
  Lines       20366    20410      +44     
==========================================
+ Hits        12435    12465      +30     
- Misses       6636     6642       +6     
- Partials     1295     1303       +8     

Flag	Coverage Δ
kind-e2e-tests	51.87% <67.64%> (+0.16%)	⬆️
unit-tests	41.36% <0.00%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/util/net_linux.go	33.66% <ø> (ø)
pkg/agent/agent.go	47.86% <60.00%> (+0.14%)	⬆️
pkg/agent/route/route_linux.go	44.35% <68.96%> (+1.91%)	⬆️
pkg/ipfix/ipfix_process.go	81.81% <0.00%> (-18.19%)	⬇️
pkg/apiserver/handlers/endpoint/handler.go	58.82% <0.00%> (-11.77%)	⬇️
pkg/apiserver/certificate/certificate.go	69.86% <0.00%> (-6.85%)	⬇️
pkg/agent/flowexporter/exporter/exporter.go	69.45% <0.00%> (-1.61%)	⬇️
...ntroller/networkpolicy/networkpolicy_controller.go	70.00% <0.00%> (-0.13%)	⬇️
pkg/agent/controller/networkpolicy/cache.go	86.98% <0.00%> (+1.69%)	⬆️
pkg/controller/networkpolicy/status_controller.go	87.09% <0.00%> (+1.93%)	⬆️
... and 3 more

[tnqn]

When it gets here, this check has been done. And since L848 already configures link addresses, logically it's ok to just start a goroutine to do the periodical work without any check.

[tnqn]

It's impossible to be nil given L168.

[tnqn]

to reduce redundancy:

r, ok := routeMap[route.Dst.String()]
if ok && routeEqual(route, r) {
      continue
}
if err := netlink.RouteAdd(route); err != nil {
    klog.Errorf("Failed to add route to the gateway: %v", err)
    return false
}

[tnqn]

There might be race condition between syncRoutes and DeleteRoutes:
if DeleteRoutes has deleted actual routes and is about to delete the desired routes, syncRoutes may see that there are desired rules but no actual routes and add the routes back. Then the routes will going to be stale.

[antoninbas]

what is this doing?

[antoninbas]

Suggested change

	t.Fatalf(" failed to get encap mode, err %v", err)
	t.Fatalf("Failed to get encap mode, err %v", err)

[antoninbas]

I am not a big fan of including a test that long as we are trying to reduce the runtime of the e2e test suite
Any chance we can rely on an integration test instead, like we did for iptables rules reconciliation: #1751?

[codecov-commenter]

Codecov Report

Merging #2091 (e7aeaba) into main (b88f39e) will increase coverage by 0.17%.
The diff coverage is 58.06%.

@@            Coverage Diff             @@
##             main    #2091      +/-   ##
==========================================
+ Coverage   61.05%   61.23%   +0.17%     
==========================================
  Files         270      269       -1     
  Lines       20366    20451      +85     
==========================================
+ Hits        12435    12523      +88     
+ Misses       6636     6633       -3     
  Partials     1295     1295              

Flag	Coverage Δ
kind-e2e-tests	52.07% <58.06%> (+0.36%)	⬆️
unit-tests	41.42% <0.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/util/net_linux.go	33.66% <ø> (ø)
pkg/agent/agent.go	47.74% <50.00%> (+0.02%)	⬆️
pkg/agent/route/route_linux.go	43.63% <59.25%> (+1.18%)	⬆️
pkg/apiserver/certificate/certificate.go	69.86% <0.00%> (-6.85%)	⬇️
pkg/antctl/raw/traceflow/command.go	23.82% <0.00%> (-1.92%)	⬇️
...ntroller/networkpolicy/networkpolicy_controller.go	69.35% <0.00%> (-0.78%)	⬇️
...agent/controller/traceflow/traceflow_controller.go	72.95% <0.00%> (-0.33%)	⬇️
pkg/agent/flowexporter/connections/connections.go	76.05% <0.00%> (-0.17%)	⬇️
pkg/antctl/antctl.go	100.00% <0.00%> (ø)
pkg/ipfix/ipfix_process.go	100.00% <0.00%> (ø)
... and 14 more

[tnqn]

This would introduce new issue that the routes won't be removed if the first attempt fails.
I think it can add the remaining routes back to the cache when it fails, so it can retry to remove them later.

[tnqn]

It should use RouteReplace, otherwise it will always fail when there is already a route that doesn't match

[tnqn]

this updates don't seem related

[tnqn]

Isn't the first condition redundant? And it doesn't seem necessary to add a case that will be skipped. But maybe it could check whatever the original route is (a valid route or nil), after removing the route and a sync loop, it can get the same route, instead of checking the route is not empty

[hty690]

The first condition is redundant. But the second is to avoid error when executing "ip route del" on nonexistent route since in that case the route will not be added according to https://github.com/vmware-tanzu/antrea/blob/3335e734071894f70a9ab33c734799f56c049689/pkg/agent/route/route_linux.go#L541

[tnqn]

Then why the case is even added to TestSyncRoute if it's skipped anyway? I think it should either remove the 3rd case and the mode check, or be more generic: only call "ip route del" if "expOutput" is not empty, so that the test works for all cases and don't have to check mode.

[tnqn]

		assert.NoError(t, err, "error executing ip route command: %s", listCmd)

                if len(expOutput) > 0 {
		        delCmd := fmt.Sprintf("ip route del %s", expOutput)
		        _, err = exec.Command("bash", "-c", delCmd).Output()
		        assert.NoError(t, err, "error executing ip route command: %s", delCmd)
                }

[tnqn]

/test-all

[tnqn]

LGTM