Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve direct connections to Antrea API in antctl #5135

Merged
merged 2 commits into from
Jun 21, 2023
Merged

Improve direct connections to Antrea API in antctl #5135

merged 2 commits into from
Jun 21, 2023

Commits on Jun 20, 2023

  1. Improve direct connections to Antrea API in antctl 

    For some commands (get featuregates, supportbundle, proxy), antctl
connects directly to the Agent / Controller API when it is run from
outside of the cluster.

We try to address some shortcomings in the implementation:

1) Antctl was giving priority to the Node's InternalIP to determine how
   to connect to the API. This doesn't work when the machine on which
   antctl runs doesn't have connectivity to the InternalIP (e.g., if I
   am running antctl on my laptop and Antrea is installed in an EKS
   cluster). To fix this issue, we instead give priority to the Node's
   ExternalIP.
2) The connections were always "insecure" (no TLS verification). To fix
   this we need to retrieve the correct CA certificate and use it in the
   client TLS config. For the Controller, the CA certificate is
   available in the kube-ssytem/antrea-ca ConfigMap, which is easy to
   retrieve. For the Agent, the self-signed certificate is now published
   as part of the AntreaAgentInfo CRD (field name APICertData), and
   hence is available to antctl. We use `[]byte` as the field type as it
   feels more common, but `string` would also have been acceptable for
   that type of data.

An `--insecure` flag is available for these commands, if users want to
fallback to the previous behavior.

Signed-off-by: Antonin Bas <[email protected]>
    @antoninbas
    antoninbas committed Jun 20, 2023
    Configuration menu
    Copy the full SHA
    98af1ca View commit details
    Browse the repository at this point in the history

  2. Rename apiCertData to apiCABundle in CRD 

    Signed-off-by: Antonin Bas <[email protected]>
    @antoninbas
    antoninbas committed Jun 20, 2023
    Configuration menu
    Copy the full SHA
    94eba8b View commit details
    Browse the repository at this point in the history