Support Pod to Pod connectivity in Antrea Multi-cluster

[hjiajing]

Add a new field PodCIDRs in the ClusterInfo for a member cluster to export its Pod CIDRs to other clusters. antrea-agent adds flows to route traffic to remote cluster Pods through Gateway Nodes.

Signed-off-by: hujiajing [email protected]

[codecov]

Codecov Report

Merging #4219 (c588bdd) into main (0f77529) will increase coverage by 0.32%.
The diff coverage is 55.17%.

❗ Current head c588bdd differs from pull request most recent head 3d85046. Consider uploading reports for the commit 3d85046 to get more accurate results

@@            Coverage Diff             @@
##             main    #4219      +/-   ##
==========================================
+ Coverage   62.26%   62.58%   +0.32%     
==========================================
  Files         385      385              
  Lines       54501    55017     +516     
==========================================
+ Hits        33933    34433     +500     
- Misses      18069    18073       +4     
- Partials     2499     2511      +12     

Flag	Coverage Δ		*Carryforward flag
e2e-tests	39.63% <47.36%> (?)
integration-tests	34.84% <24.63%> (ø)		Carriedforward from 0f77529
kind-e2e-tests	48.16% <20.58%> (ø)		Carriedforward from 0f77529
unit-tests	43.86% <21.95%> (ø)		Carriedforward from 0f77529

*This pull request uses carry forward flags. Click here to find out more.

Impacted Files	Coverage Δ
multicluster/cmd/multicluster-controller/member.go	0.00% <0.00%> (ø)
...ulticluster/cmd/multicluster-controller/options.go	9.30% <0.00%> (ø)
pkg/ovs/openflow/ofctrl_meter.go	44.77% <0.00%> (ø)
pkg/agent/openflow/multicast.go	18.60% <13.33%> (-2.59%)	⬇️
pkg/agent/openflow/service.go	91.57% <40.00%> (+0.27%)	⬆️
pkg/ovs/openflow/ofctrl_bridge.go	78.18% <47.36%> (+2.06%)	⬆️
pkg/agent/openflow/client.go	73.02% <69.23%> (+1.16%)	⬆️
pkg/ovs/openflow/ofctrl_group.go	74.07% <72.72%> (+9.43%)	⬆️
...ter/controllers/multicluster/gateway_controller.go	62.40% <75.00%> (ø)
pkg/agent/multicluster/mc_route_controller.go	50.18% <100.00%> (-2.10%)	⬇️
... and 16 more

[luolanzone]

Hi @hjiajing your DCO info is missing, and the unit test is failed, please fix them.
The patch test coverage is lower than target, could you check if possible to improve it. thanks.

[luolanzone]

Could you check if this can handle empty PodCIDRs properly?

[luolanzone]

I feel this comment should be updated, this block also handles Node update case.
Can we compare existing CIDRs so we can skip refresh Gateway unnecessarily?

[hjiajing]

The reason I used node list rather than other annotations such as "lastUpdateTime" is that we will compare the node list to skip the unnecessary refresh in the updateActiveGateway method.

If we need to compare the CIDRs, maybe we need to set the store the CIDRs in the Gateway.Spec or Annotations. I'm not sure if it's necessary since we store it in the ClusterInfo.

[jianjuns]

Do you guys think we can just ask users to provide the PodCIDRs? I want not to add much complexity for auto-discovering Pod CIDRs? @luolanzone

[luolanzone]

Yes, I think this is also workable. Maybe add a config item clusterCIDRs the same as Antrea agent?

[jianjuns]

Yeah, maybe still podCIDRs for easier understanding.

[hjiajing]

@luolanzone @jianjuns Maybe we can add a new field PodCIDRs in struct options inmulticluster/cmd/multicluster-controller/options.go. And the user must edit the antrea-multicluster-member.yml to specify the CIDR.

The CIDR must be the cluster Pod CIDRs or a superset of it, should we add a check about it?

[jianjuns]

I think no need to check. But wonder if we should check no overlapping among clusters. At least we should check in each cluster that remote cluster CIDRs cannot overlap with the local cluster, and reject that import if it does overlap. We can do a separate PR for that.

[luolanzone]

@hjiajing Yes, I think a new option field is required for PodCIDRs, and you should also add a config item here https://github.com/antrea-io/antrea/blob/main/multicluster/apis/multicluster/v1alpha1/multiclusterconfig_types.go#L38.

[hjiajing]

@luolanzone Thanks for the reminder. The item PodCIDRs was added to MulticlusterConfig.

[hjiajing]

Hi @hjiajing your DCO info is missing, and the unit test is failed, please fix them. The patch test coverage is lower than target, could you check if possible to improve it. thanks.

Sure. I'll fix it. Thanks

[jianjuns]

LGTM

[luolanzone]

If you add all Pod CIDRs here like Service CIDR, I think it will also add a SNAT flow to perform SNAT for Pod-to-Pod connectivity, I feel it would be OK to keep the behavior consistent, but seems we didn't discuss this before. @jianjuns it this expected to do SNAT for Pod to Pod access?

[jianjuns]

I feel we can do SNAT for now. @luolanzone Maybe you can also reach to Tao to understand his requirements?

[luolanzone]

sure, @hjiajing let's do SNAT for 1.9, I will check with Tao for the details.

[luolanzone]

LGTM

[jianjuns]

/test-all

[jianjuns]

/test-multicluster-e2e

[jianjuns]

@hjiajing @luolanzone : this PR did not reach the UT coverage target. Could you check any way to improve?

[hjiajing]

@jianjuns Sure. I'll check and improve the unit test coverage.

[hjiajing]

@jianjuns I added some UT for the options.go. The coverage increased from 3% to 75% when I tested it locally. But the codecov report shows that it decreased by 6% and there are many files I didn't edit. I have reported this to Wenqi (He said he noticed it too)

[hjiajing]

@jianjuns I added some UT for the options.go. The coverage increased from 3% to 75% when I tested it locally. But the codecov report shows that it decreased by 6% and there are many files I didn't edit. I have reported this to Wenqi (He said he noticed it too)

@jianjuns Discussed with Wenqi. The total coverage decreased because some tests was still running, and some tests wasn't triggered. After more unit tests added, the unit test coverage of this PR is 93% reached the target now (70%)

[wenqiq]

@jianjuns I added some UT for the options.go. The coverage increased from 3% to 75% when I tested it locally. But the codecov report shows that it decreased by 6% and there are many files I didn't edit. I have reported this to Wenqi (He said he noticed it too)

**decov/patch ** — 93.75% of diff hit (target 70.00%)

Hi, @hjiajing After checking the Codecov links. I think you should just keep an eye on this patch/status data. And 93.75% is a good coverage rate.
The decreased coverage you see just now is caused by integration or e2e test cases that not ran completely thus the results are not uploaded to the Codecov.

[jianjuns]

Yes, the coverage rate is good now.

@luolanzone : do you have extra comments?

[jianjuns]

/test-all

[luolanzone]

@jianjuns no more comments from me. thanks.

[luolanzone]

Seems there are some problems with github checks. re-trigger test-all to see if it helps.
/test-all

[luolanzone]

LGTM

[hjiajing]

/test-all

[hjiajing]

/test-all

[hjiajing]

/test-all