Enhancement AntreaProxy

- Implement ClusterIP and Loadbalancer Services support - Add NodePort support for Antrea Proxy on Linux Resolves antrea-io#1463. Signed-off-by: Weiqiang Tang <[email protected]>
weiqiangt · Mar 8, 2021 · 3c2b436 · 3c2b436
1 parent 0bc89a4
commit 3c2b436
Show file tree

Hide file tree

Showing 36 changed files with 1,379 additions and 173 deletions.
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -1313,6 +1313,9 @@ data:
     # this flag will not take effect.
     #  EndpointSlice: false
 
+    # Enable full functionalities of AntreaProxy.
+      FullAntreaProxy: true
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1425,7 +1428,7 @@ data:
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
-    #kubeAPIServerOverride: ""
+    kubeAPIServerOverride: 192.168.77.100:6443
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -1435,6 +1438,10 @@ data:
 
     # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
     #tlsMinVersion:
+
+    # A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks
+    # (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.
+    #nodePortAddresses: []
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1500,7 +1507,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-m6cb2mk6f8
+  name: antrea-config-fm57tkgg4d
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1620,7 +1627,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-m6cb2mk6f8
+          name: antrea-config-fm57tkgg4d
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1884,7 +1891,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-m6cb2mk6f8
+          name: antrea-config-fm57tkgg4d
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -1313,6 +1313,9 @@ data:
     # this flag will not take effect.
     #  EndpointSlice: false
 
+    # Enable full functionalities of AntreaProxy.
+      FullAntreaProxy: true
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1425,7 +1428,7 @@ data:
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
-    #kubeAPIServerOverride: ""
+    kubeAPIServerOverride: 192.168.77.100:6443
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -1435,6 +1438,10 @@ data:
 
     # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
     #tlsMinVersion:
+
+    # A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks
+    # (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.
+    #nodePortAddresses: []
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1500,7 +1507,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-m6cb2mk6f8
+  name: antrea-config-fm57tkgg4d
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1620,7 +1627,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-m6cb2mk6f8
+          name: antrea-config-fm57tkgg4d
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1886,7 +1893,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-m6cb2mk6f8
+          name: antrea-config-fm57tkgg4d
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -1313,6 +1313,9 @@ data:
     # this flag will not take effect.
     #  EndpointSlice: false
 
+    # Enable full functionalities of AntreaProxy.
+      FullAntreaProxy: true
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1425,7 +1428,7 @@ data:
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
-    #kubeAPIServerOverride: ""
+    kubeAPIServerOverride: 192.168.77.100:6443
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -1435,6 +1438,10 @@ data:
 
     # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
     #tlsMinVersion:
+
+    # A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks
+    # (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.
+    #nodePortAddresses: []
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1500,7 +1507,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-mk65mt7755
+  name: antrea-config-c9hdb87t67
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1620,7 +1627,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-mk65mt7755
+          name: antrea-config-c9hdb87t67
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1887,7 +1894,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-mk65mt7755
+          name: antrea-config-c9hdb87t67
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -1313,6 +1313,9 @@ data:
     # this flag will not take effect.
     #  EndpointSlice: false
 
+    # Enable full functionalities of AntreaProxy.
+      FullAntreaProxy: true
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1430,7 +1433,7 @@ data:
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
-    #kubeAPIServerOverride: ""
+    kubeAPIServerOverride: 192.168.77.100:6443
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -1440,6 +1443,10 @@ data:
 
     # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
     #tlsMinVersion:
+
+    # A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks
+    # (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.
+    #nodePortAddresses: []
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1505,7 +1512,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-b789kb895m
+  name: antrea-config-hmm4h9k922
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1634,7 +1641,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-b789kb895m
+          name: antrea-config-hmm4h9k922
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1933,7 +1940,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-b789kb895m
+          name: antrea-config-hmm4h9k922
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -1313,6 +1313,9 @@ data:
     # this flag will not take effect.
     #  EndpointSlice: false
 
+    # Enable full functionalities of AntreaProxy.
+      FullAntreaProxy: true
+
     # Enable traceflow which provides packet tracing feature to diagnose network issue.
     #  Traceflow: true
 
@@ -1430,7 +1433,7 @@ data:
 
     # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
-    #kubeAPIServerOverride: ""
+    kubeAPIServerOverride: 192.168.77.100:6443
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
     # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -1440,6 +1443,10 @@ data:
 
     # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
     #tlsMinVersion:
+
+    # A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks
+    # (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.
+    #nodePortAddresses: []
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -1505,7 +1512,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-4f9kt42925
+  name: antrea-config-9t7d827585
   namespace: kube-system
 ---
 apiVersion: v1
@@ -1625,7 +1632,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-4f9kt42925
+          name: antrea-config-9t7d827585
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -1889,7 +1896,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-4f9kt42925
+          name: antrea-config-9t7d827585
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

diff --git a/build/yamls/base/conf/antrea-agent.conf b/build/yamls/base/conf/antrea-agent.conf
@@ -10,6 +10,9 @@ featureGates:
 # this flag will not take effect.
 #  EndpointSlice: false
 
+# Enable full functionalities of AntreaProxy.
+  FullAntreaProxy: true
+
 # Enable traceflow which provides packet tracing feature to diagnose network issue.
 #  Traceflow: true
 
@@ -127,7 +130,7 @@ featureGates:
 
 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
 # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
-#kubeAPIServerOverride: ""
+kubeAPIServerOverride: 192.168.77.100:6443
 
 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
 # https://golang.org/pkg/crypto/tls/#pkg-constants
@@ -137,3 +140,7 @@ featureGates:
 
 # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
 #tlsMinVersion:
+
+# A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks
+# (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.
+#nodePortAddresses: []
diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go
@@ -96,7 +96,9 @@ func run(o *Options) error {
 	ovsBridgeMgmtAddr := ofconfig.GetMgmtAddress(o.config.OVSRunDir, o.config.OVSBridge)
 	ofClient := openflow.NewClient(o.config.OVSBridge, ovsBridgeMgmtAddr, ovsDatapathType,
 		features.DefaultFeatureGate.Enabled(features.AntreaProxy),
-		features.DefaultFeatureGate.Enabled(features.AntreaPolicy))
+		features.DefaultFeatureGate.Enabled(features.AntreaPolicy),
+		features.DefaultFeatureGate.Enabled(features.FullAntreaProxy),
+	)
 
 	_, serviceCIDRNet, _ := net.ParseCIDR(o.config.ServiceCIDR)
 	var serviceCIDRNetv6 *net.IPNet
@@ -111,7 +113,7 @@ func run(o *Options) error {
 		TrafficEncapMode:  encapMode,
 		EnableIPSecTunnel: o.config.EnableIPSecTunnel}
 
-	routeClient, err := route.NewClient(serviceCIDRNet, networkConfig, o.config.NoSNAT)
+	routeClient, err := route.NewClient(o.nodePortVirtualIP, o.nodePortVirtualIPv6, serviceCIDRNet, networkConfig, o.config.NoSNAT, features.DefaultFeatureGate.Enabled(features.FullAntreaProxy))
 	if err != nil {
 		return fmt.Errorf("error creating route client: %v", err)
 	}
@@ -172,15 +174,27 @@ func run(o *Options) error {
 	if features.DefaultFeatureGate.Enabled(features.AntreaProxy) {
 		v4Enabled := config.IsIPv4Enabled(nodeConfig, networkConfig.TrafficEncapMode)
 		v6Enabled := config.IsIPv6Enabled(nodeConfig, networkConfig.TrafficEncapMode)
+		var nodePortAddresses []*net.IPNet
+		nodePortSupport := features.DefaultFeatureGate.Enabled(features.FullAntreaProxy)
+		if nodePortSupport {
+			for _, nodePortAddress := range o.config.NodePortAddresses {
+				_, ipNet, _ := net.ParseCIDR(nodePortAddress)
+				nodePortAddresses = append(nodePortAddresses, ipNet)
+			}
+		}
+		var err error
 		switch {
 		case v4Enabled && v6Enabled:
-			proxier = proxy.NewDualStackProxier(nodeConfig.Name, informerFactory, ofClient)
+			proxier, err = proxy.NewDualStackProxier(o.nodePortVirtualIP, o.nodePortVirtualIPv6, nodePortAddresses, nodeConfig.Name, nodeConfig.PodIPv4CIDR, nodeConfig.PodIPv6CIDR, informerFactory, ofClient, routeClient, nodePortSupport)
 		case v4Enabled:
-			proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, false)
+			proxier, err = proxy.NewProxier(o.nodePortVirtualIP, nodePortAddresses, nodeConfig.Name, nodeConfig.PodIPv4CIDR, informerFactory, ofClient, routeClient, v6Enabled, nodePortSupport)
 		case v6Enabled:
-			proxier = proxy.NewProxier(nodeConfig.Name, informerFactory, ofClient, true)
+			proxier, err = proxy.NewProxier(o.nodePortVirtualIPv6, nodePortAddresses, nodeConfig.Name, nodeConfig.PodIPv4CIDR, informerFactory, ofClient, routeClient, v6Enabled, nodePortSupport)
 		default:
-			return fmt.Errorf("at least one of IPv4 or IPv6 should be enabled")
+			err = fmt.Errorf("at least one of IPv4 or IPv6 should be enabled")
+		}
+		if err != nil {
+			return fmt.Errorf("error when creating Antrea Proxy: %w", err)
 		}
 	}
 

diff --git a/cmd/antrea-agent/config.go b/cmd/antrea-agent/config.go
@@ -134,4 +134,7 @@ type AgentConfig struct {
 	TLSCipherSuites string `yaml:"tlsCipherSuites,omitempty"`
 	// TLS min version.
 	TLSMinVersion string `yaml:"tlsMinVersion,omitempty"`
+	// A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks
+	// (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.
+	NodePortAddresses []string `yaml:"nodePortAddresses,omitempty"`
 }