diff --git a/addons/packages/antrea/1.7.1-p1/README.md b/addons/packages/antrea/1.7.1-p1/README.md new file mode 100644 index 00000000000..b0579474ebe --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/README.md @@ -0,0 +1,69 @@ +# antrea Package + +This package provides networking and network security solution for containers using [antrea](https://antrea.io/). + +## Components + +## Configuration + +The following configuration values can be set to customize the antrea installation. + +### Global + +| Value | Required/Optional | Description | +|-----------------|-------------------|-------------------------------------------------------------------------| +| `infraProvider` | Required | The cloud provider in use. One of: `aws`, `azure`, `vsphere`, `docker`. | + +### antrea Configuration + +| Value | Required/Optional | Description | +|--------------------------------------------------|-------------------|-------------------------------------------------------------------------------------------------------------------------| +| `antrea.config.egress.exceptCIDRs` | Optional | The CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses | +| `antrea.config.nodePortLocal.enabled` | Optional | Enable NodePortLocal feature. Default: true | +| `antrea.config.nodePortLocal.portRange` | Optional | Provide the port range used by NodePortLocal | +| `antrea.config.antreaProxy.proxyAll` | Optional | ProxyAll tells antrea-agent to proxy all Service traffic. Default: false | +| `antrea.config.antreaProxy.nodePortAddresses` | Optional | Specifies the host IPv4/IPv6 addresses for NodePort | +| `antrea.config.antreaProxy.skipServices` | Optional | List of Services which should be ignored by AntreaProxy | +| `antrea.config.antreaProxy.proxyLoadBalancerIPs` | Optional | Load-balance traffic destined to the External IPs of LoadBalancer services. Default: false | +| `antrea.config.flowExporter.collectorAddress` | Optional | Provide the IPFIX collector address as a string. Default: `flow-aggregator.flow-aggregator.svc:4739:tls` | +| `antrea.config.flowExporter.pollInterval` | Optional | Provide flow poll interval as a duration string. Default: `5s` | +| `antrea.config.flowExporter.activeFlowTimeout` | Optional | Provide the active flow export timeout. Default: `30s` | +| `antrea.config.flowExporter.idleFlowTimeout` | Optional | Provide the idle flow export timeout. Default: `15s` | +| `antrea.config.multicast.igmpQueryInterval` | Optional | The interval at which the antrea-agent sends IGMP queries to Pods. Default: `125s` | +| `antrea.config.multicluster.enable` | Optional | Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. Default: false | +| `antrea.config.multicluster.namespace` | Optional | The Namespace where Antrea Multi-cluster Controller is running. The default is antrea-agent's Namespace. Default: empty | +| `antrea.config.kubeAPIServerOverride` | Optional | Provide the address of Kubernetes apiserver. Default: nil | +| `antrea.config.transportInterface` | Optional | The name of the interface on Node which is used for tunneling or routing the traffic. Default: empty | +| `antrea.config.transportInterfaceCIDRs` | Optional | The network CIDRs of the interface on Node which is used for tunneling or routing the traffic. Default: empty | +| `antrea.config.multicastInterfaces` | Optional | The names of the interfaces on Nodes that are used to forward multicast traffic. Default: nil | +| `antrea.config.trafficEncryptionMode` | Optional | Determines how tunnel traffic is encrypted. Default: none | +| `antrea.config.wireGuard.port` | Optional | The port for WireGuard to receive traffic. Default: 51820 | +| `antrea.config.enableUsageReporting` | Optional | Enable usage reporting (telemetry) to VMware. Default: false | +| `antrea.config.serviceCIDR` | Optional | The service IPv4 CIDR to use. Default: `10.96.0.0/12` | +| `antrea.config.serviceCIDRv6` | Optional | The service IPv6 CIDR to use. Default: nil | +| `antrea.config.trafficEncapMode` | Optional | The traffic encapsulation mode. Default: `encap` | +| `antrea.config.noSNAT` | Optional | Boolean flag to enable/disable SNAT. Default: `false` | +| `antrea.config.disableUdpTunnelOffload` | Optional | Disable UDP tunnel offload feature on default NIC. Default: `false` | +| `antrea.config.defaultMTU` | Optional | MTU to use. Default: `null` (Antrea will autodetect) | +| `antrea.config.tlsCipherSuites` | Optional | List of allowed cipher suites | +| `antrea.config.enableBridgingMode` | Optional | Enable bridging mode of Pod network on Nodes. Default: `false` | +| `antrea.config.disableTXChecksumOffload` | Optional | Disable TX checksum offloading for container network interfaces. Default: `false` | +| `antrea.config.dnsServerOverride` | Optional | Provide the address of DNS server, to override the kube-dns service. Default: empty | +| `antrea.config.featureGates.AntreaProxy` | Optional | Boolean flag to enable/disable antrea proxy. Default: `true` | +| `antrea.config.featureGates.EndpointSlice` | Optional | Boolean flag to enable/disable EndpointSlice support in AntreaProxy. Default: `false` | +| `antrea.config.featureGates.AntreaTraceFlow` | Optional | Boolean flag to enable/disable antrea traceflow. Default: `false` | +| `antrea.config.featureGates.NodePortLocal` | Optional | Boolean flag to enable/disable antrea proxy. Default: `false` | +| `antrea.config.featureGates.AntreaPolicy` | Optional | Boolean flag to enable/disable antrea policy. Default: `true` | +| `antrea.config.featureGates.FlowExporter` | Optional | Boolean flag to enable/disable flow exporter. Default: `false` | +| `antrea.config.featureGates.NetworkPolicyStats` | Optional | Boolean flag to enable/disable network policy stats. Default: `false` | +| `antrea.config.featureGates.Egress` | Optional | Boolean flag to enable/disable SNAT IPs of Pod egress traffic. Default: `false` | +| `antrea.config.featureGates.AntreaIPAM` | Optional | Boolean flag to enable/disable NodePortLocal feature to make the pods reachable externally through NodePort | +| `antrea.config.featureGates.ServiceExternalIP` | Optional | Boolean flag to enable/disable NodePortLocal feature to make the pods reachable externally through NodePort | +| `antrea.config.featureGates.Multicast` | Optional | Boolean flag to enable/disable NodePortLocal feature to make the pods reachable externally through NodePort | +| `antrea.config.featureGates.Multicluster` | Optional | Boolean flag to enable/disable Antrea Multi-cluster Gateway to support cross-cluster traffic | +| `antrea.config.featureGates.SecondaryNetwork` | Optional | Boolean flag to enable/disable support for provisioning secondary network interfaces for Pods | +| `antrea.config.featureGates.TrafficControl` | Optional | Boolean flag to enable/disable support mirroring or redirecting the traffic Pods send or receive | + +## Usage Example + +The follow is a basic guide for getting started with antrea. diff --git a/addons/packages/antrea/1.7.1-p1/bundle/.imgpkg/bundle.yaml b/addons/packages/antrea/1.7.1-p1/bundle/.imgpkg/bundle.yaml new file mode 100644 index 00000000000..337be505a04 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/.imgpkg/bundle.yaml @@ -0,0 +1,9 @@ +apiVersion: imgpkg.carvel.dev/v1alpha1 +kind: Bundle +metadata: + name: antrea +authors: +- name: Hang Yan + email: yhang@vmware.com +websites: +- url: antrea.io diff --git a/addons/packages/antrea/1.7.1-p1/bundle/.imgpkg/images.yml b/addons/packages/antrea/1.7.1-p1/bundle/.imgpkg/images.yml new file mode 100644 index 00000000000..1223023f36f --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/.imgpkg/images.yml @@ -0,0 +1,25 @@ +--- +apiVersion: imgpkg.carvel.dev/v1alpha1 +images: +- annotations: + kbld.carvel.dev/id: antrea/antrea-ubuntu:v1.7.1 + kbld.carvel.dev/origins: | + - resolved: + tag: v1.7.1 + url: antrea/antrea-ubuntu:v1.7.1 + image: index.docker.io/antrea/antrea-ubuntu@sha256:90deeed74e5631ce3c514c4bf12e284bd5040dac5480f0eec0436fdbcaabe85d +- annotations: + kbld.carvel.dev/id: antrea-interworking/interworking-photon:0.7.1 + kbld.carvel.dev/origins: | + - resolved: + tag: latest + url: antrea-interworking/interworking-photon:0.7.1 + image: nsx-ujo-docker-local.artifactory.eng.vmware.com/antrea-interworking/interworking-photon@sha256:fc76bca72254735cb0758a2b1f8f7e9850062db583c8070699496e80bdfea8eb +- annotations: + kbld.carvel.dev/id: antrea-interworking/bootstrap:0.7.1 + kbld.carvel.dev/origins: | + - resolved: + tag: 0.7.1 + url: antrea-interworking/bootstrap:0.7.1 + image: nsx-ujo-docker-local.artifactory.eng.vmware.com/antrea-interworking/bootstrap@sha256:cd5d2df1124658b460cdb1942c90266603a17f5c3fdde96a244c9272d21e627c +kind: ImagesLock diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/kapp-config.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/kapp-config.yaml new file mode 100644 index 00000000000..9780a683e58 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/kapp-config.yaml @@ -0,0 +1,24 @@ +apiVersion: kapp.k14s.io/v1alpha1 +kind: Config +rebaseRules: +- path: [data] + type: copy + sources: [existing, new] + resourceMatchers: + - kindNamespaceNameMatcher: {kind: ConfigMap, namespace: kube-system, name: antrea-ca} + - kindNamespaceNameMatcher: {kind: Secret, namespace: vmware-system-antrea, name: nsx-cert} + - kindNamespaceNameMatcher: {kind: ConfigMap, namespace: vmware-system-antrea, name: bootstrap-config} + - kindNamespaceNameMatcher: {kind: ConfigMap, namespace: vmware-system-antrea, name: antrea-interworking-config} + +- path: [spec, caBundle] + type: copy + sources: [existing, new] + resourceMatchers: + - anyMatcher: + matchers: + - kindNamespaceNameMatcher: {kind: APIService, namespace: kube-system, name: v1alpha1.stats.antrea.io} + - kindNamespaceNameMatcher: {kind: APIService, namespace: kube-system, name: v1alpha1.stats.antrea.tanzu.vmware.com} + - kindNamespaceNameMatcher: {kind: APIService, namespace: kube-system, name: v1beta1.system.antrea.io} + - kindNamespaceNameMatcher: {kind: APIService, namespace: kube-system, name: v1beta1.system.antrea.tanzu.vmware.com} + - kindNamespaceNameMatcher: {kind: APIService, namespace: kube-system, name: v1beta2.controlplane.antrea.io} + - kindNamespaceNameMatcher: {kind: APIService, namespace: kube-system, name: v1beta2.controlplane.antrea.tanzu.vmware.com} diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/antrea-overlay.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/antrea-overlay.yaml new file mode 100644 index 00000000000..1615f74840c --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/antrea-overlay.yaml @@ -0,0 +1,443 @@ +#! antrea-overlay.yaml + +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:yaml", "yaml") +#@ load("/values.star", "values") + +#@ def antrea_agent_conf(): + +#! FeatureGates is a map of feature names to bools that enable or disable experimental features. +featureGates: + #! Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + #! It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + #! Service traffic. + AntreaProxy: #@ values.antrea.config.featureGates.AntreaProxy + + #! Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + #! API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + #! this flag will not take effect. + EndpointSlice: #@ values.antrea.config.featureGates.EndpointSlice + + #! Enable traceflow which provides packet tracing feature to diagnose network issue. + Traceflow: #@ values.antrea.config.featureGates.AntreaTraceflow + + #! Enable NodePortLocal feature to make the pods reachable externally through NodePort + NodePortLocal: #@ values.antrea.config.featureGates.NodePortLocal + + #! Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + #! to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + #! feature that supports priorities, rule actions and externalEntities in the future. + AntreaPolicy: #@ values.antrea.config.featureGates.AntreaPolicy + + #! Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + #! agent to a configured collector. + FlowExporter: #@ values.antrea.config.featureGates.FlowExporter + + #! Enable collecting and exposing NetworkPolicy statistics. + NetworkPolicyStats: #@ values.antrea.config.featureGates.NetworkPolicyStats + + #! Enable controlling SNAT IPs of Pod egress traffic. + Egress: #@ values.antrea.config.featureGates.Egress + + #! Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, + #! Deployments and StatefulSets via IP Pool annotation. + AntreaIPAM: #@ values.antrea.config.featureGates.AntreaIPAM + + #! Enable multicast traffic. This feature is supported only with noEncap mode. + Multicast: #@ values.antrea.config.featureGates.Multicast + + #! Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + #! This feature is supported only with encap mode. + Multicluster: #@ values.antrea.config.featureGates.Multicluster + + #! Enable support for provisioning secondary network interfaces for Pods (using Pod annotations). + #! At the moment, Antrea can only create secondary network interfaces using SR-IOV VFs on baremetal Nodes. + SecondaryNetwork: #@ values.antrea.config.featureGates.SecondaryNetwork + + #! Enable managing external IPs of Services of LoadBalancer type. + ServiceExternalIP: #@ values.antrea.config.featureGates.ServiceExternalIP + + #! Enable mirroring or redirecting the traffic Pods send or receive. + TrafficControl: #@ values.antrea.config.featureGates.TrafficControl + +#! Name of the OpenVSwitch bridge antrea-agent will create and use. +#! Make sure it doesn't conflict with your existing OpenVSwitch bridges. +#!ovsBridge: br-int + +#! Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: +#! - system +#! - netdev +#! 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run +#! OVS in userspace mode. Userspace mode requires the tun device driver to be available. +#@ if values.infraProvider == "docker": +ovsDatapathType: netdev +#@ end + +#! Name of the interface antrea-agent will create and use for host <--> pod communication. +#! Make sure it doesn't conflict with your existing interfaces. +#!hostGateway: antrea-gw0 + +#! Determines how traffic is encapsulated. It has the following options: +#! encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network +#! traffic is SNAT'd. +#! noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is +#! SNAT'd if noSNAT is not set to true. Underlying network must be capable of +#! supporting Pod traffic across IP subnets. +#! hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. +#! networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod +#! IPAM and connectivity to the primary CNI. +#! +trafficEncapMode: #@ values.antrea.config.trafficEncapMode + +#! Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. +#! This option is for the noEncap traffic mode only, and the default value is false. In the noEncap +#! mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to +#! the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never +#! performs SNAT and this option will be ignored; for other modes it must be set to false. +noSNAT: #@ values.antrea.config.noSNAT + +#! Tunnel protocols used for encapsulating traffic across Nodes. Supported values: +#! - geneve (default) +#! - vxlan +#! - gre +#! - stt +tunnelType: #@ values.antrea.config.tunnelType + +#! Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. +#! It has the following options: +#! - none (default): Inter-node Pod traffic will not be encrypted. +#! - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses +#! Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, +#! the PSK value must be passed to Antrea Agent through an environment +#! variable: ANTREA_IPSEC_PSK. +#! - wireGuard: Enable WireGuard for tunnel traffic encryption. +trafficEncryptionMode: #@ values.antrea.config.trafficEncryptionMode + +#! Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected +#! to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are +#! allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the +#! underlay network. +#! This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only +#! IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, +#! `trafficEncapMode` is `noEncap`, and `noSNAT` is true. +enableBridgingMode: #@ values.antrea.config.enableBridgingMode + +#! Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the +#! datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. +#! It affects Pods running on Linux Nodes only. +disableTXChecksumOffload: #@ values.antrea.config.disableTXChecksumOffload + + +#! Default MTU to use for the host gateway interface and the network interface of each Pod. +#! If omitted, antrea-agent will discover the MTU of the Node's primary interface and +#! also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). +#@ if/end values.antrea.config.defaultMTU: +defaultMTU: #@ values.antrea.config.defaultMTU + +#! wireGuard specifies WireGuard related configurations. +wireGuard: +#@ if values.antrea.config.wireGuard: + #! The port for WireGuard to receive traffic. + port: #@ values.antrea.config.wireGuard.port +#@ end + +egress: +#@ if values.antrea.config.featureGates.Egress: + #! exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: #@ values.antrea.config.egress.exceptCIDRs +#@ end + +#! ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be +#! set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When +#! AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. +serviceCIDR: #@ values.antrea.config.serviceCIDR + +#! ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack +#! cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by +#! --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. +#! No default value for this field. +#@ if/end values.antrea.config.serviceCIDRv6: +serviceCIDRv6: #@ values.antrea.config.serviceCIDRv6 + +#! The port for the antrea-agent APIServer to serve on. +#! Note that if it's set to another value, the `containerPort` of the `api` port of the +#! `antrea-agent` container must be set to the same value. +#!apiPort: 10350 + +#! Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. +#!enablePrometheusMetrics: true + +#! Provide the IPFIX collector address as a string with format :[][:]. +#! HOST can either be the DNS name or the IP of the Flow Collector. For example, +#! "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect +#! to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. +#! However, IPv6 address should be wrapped with []. +#! If PORT is empty, we default to 4739, the standard IPFIX port. +#! If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and +#! "udp" protocols. "tls" is used for securing communication between flow exporter and +#! flow aggregator. +#@ if/end values.antrea.config.featureGates.FlowExporter: +flowCollectorAddr: #@ values.antrea.config.flowExporter.collectorAddress + +#! Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module. +#! Flow poll interval should be greater than or equal to 1s (one second). +#! Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". +#@ if/end values.antrea.config.featureGates.FlowExporter: +flowPollInterval: #@ values.antrea.config.flowExporter.pollInterval + +#! Provide the active flow export timeout, which is the timeout after which a flow +#! record is sent to the collector for active flows. Thus, for flows with a continuous +#! stream of packets, a flow record will be exported to the collector once the elapsed +#! time since the last export event is equal to the value of this timeout. +#! Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". +#@ if/end values.antrea.config.featureGates.FlowExporter: +activeFlowExportTimeout: #@ values.antrea.config.flowExporter.activeFlowTimeout + +#! Provide the idle flow export timeout, which is the timeout after which a flow +#! record is sent to the collector for idle flows. A flow is considered idle if no +#! packet matching this flow has been observed since the last export event. +#! Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". +#@ if/end values.antrea.config.featureGates.FlowExporter: +idleFlowExportTimeout: #@ values.antrea.config.flowExporter.idleFlowTimeout + +nodePortLocal: +#@ if values.antrea.config.featureGates.NodePortLocal: + #! Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + #! enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + #! gate is also enabled (which is the default). + enable: #@ values.antrea.config.nodePortLocal.enabled + #! Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + #! from that range will be assigned whenever a Pod's container defines a specific port to be exposed + #! (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + #! directed to that port will be forwarded to the Pod. + portRange: #@ values.antrea.config.nodePortLocal.portRange +#@ end + +#! Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. +#! Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. +#@ if/end values.antrea.config.kubeAPIServerOverride: +kubeAPIServerOverride: #@ values.antrea.config.kubeAPIServerOverride + +#! Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. +#! Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, +#! [fd00:10:96::a]:53). +#@ if/end values.antrea.config.dnsServerOverride: +dnsServerOverride: #@ values.antrea.config.dnsServerOverride + + +#! Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. +#! https://golang.org/pkg/crypto/tls/#pkg-constants +#! Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always +#! prefer TLS1.3 Cipher Suites whenever possible. +tlsCipherSuites: #@ values.antrea.config.tlsCipherSuites + +#! TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. +#!tlsMinVersion: + +#! The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. +#! If there are multiple IP addresses configured on the interface, the first one is used. The IP +#! address used for tunneling or routing traffic to remote Nodes is decided in the following order of +#! preference (from highest to lowest): +#! 1. transportInterface +#! 2. transportInterfaceCIDRs +#! 3. The Node IP +#@ if/end values.antrea.config.transportInterface: +transportInterface: #@ values.antrea.config.transportInterface + +multicast: +#@ if values.antrea.config.featureGates.Multicast: + #! The names of the interfaces on Nodes that are used to forward multicast traffic. + #! Defaults to transport interface if not set. + #@ if/end values.antrea.config.multicastInterfaces: + multicastInterfaces: #@ values.antrea.config.multicastInterfaces + + #! The interval at which the antrea-agent sends IGMP queries to Pods. + #! Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: #@ values.antrea.config.multicast.igmpQueryInterval +#@ end + +#! The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across +#! Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The +#! IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of +#! preference (from highest to lowest): +#! 1. transportInterface +#! 2. transportInterfaceCIDRs +#! 3. The Node IP +#@ if/end values.antrea.config.transportInterfaceCIDRs: +transportInterfaceCIDRs: #@ values.antrea.config.transportInterfaceCIDRs + +#! Option antreaProxy contains AntreaProxy related configuration options. +antreaProxy: +#@ if values.antrea.config.featureGates.AntreaProxy: + #! ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + #! regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + #! feature to be enabled. + #! Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + #! apiserver directly. + proxyAll: #@ values.antrea.config.antreaProxy.proxyAll + #! A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + #! (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + #! Note that the option is only valid when proxyAll is true. + nodePortAddresses: #@ values.antrea.config.antreaProxy.nodePortAddresses + #! An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + #! Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + #! with Namespace (e.g. kube-system/kube-dns) + skipServices: #@ values.antrea.config.antreaProxy.skipServices + #! When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + #! External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + #! capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + #! external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + #! Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + #! kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: #@ values.antrea.config.antreaProxy.proxyLoadBalancerIPs +#@ end + + +multicluster: +#@ if values.antrea.config.featureGates.Multicluster: + #! Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + #! This feature is supported only with encap mode. + enable: #@ values.antrea.config.multicluster.enable + #! The Namespace where Antrea Multi-cluster Controller is running. + #! The default is antrea-agent's Namespace. + #@ if/end values.antrea.config.multicluster.namespace: + namespace: #@ values.antrea.config.multicluster.namespace +#@ end + +#@ end + + +#@ def antrea_controller_conf(): + +#! FeatureGates is a map of feature names to bools that enable or disable experimental features. +featureGates: + #! Enable traceflow which provides packet tracing feature to diagnose network issue. + Traceflow: #@ values.antrea.config.featureGates.AntreaTraceflow + + #! Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + #! to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + #! feature that supports priorities, rule actions and externalEntities in the future. + AntreaPolicy: #@ values.antrea.config.featureGates.AntreaPolicy + + #! Enable collecting and exposing NetworkPolicy statistics. + NetworkPolicyStats: #@ values.antrea.config.featureGates.NetworkPolicyStats + + #! Enable multicast traffic. This feature is supported only with noEncap mode. + Multicast: #@ values.antrea.config.featureGates.Multicast + + #! Enable controlling SNAT IPs of Pod egress traffic. + Egress: #@ values.antrea.config.featureGates.Egress + + #! Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces, + #! Deployments and StatefulSets via IP Pool annotation. + AntreaIPAM: #@ values.antrea.config.featureGates.AntreaIPAM + + #! Enable managing external IPs of Services of LoadBalancer type. + ServiceExternalIP: #@ values.antrea.config.featureGates.ServiceExternalIP + +#! The port for the antrea-controller APIServer to serve on. +#! Note that if it's set to another value, the `containerPort` of the `api` port of the +#! `antrea-controller` container must be set to the same value. +#!apiPort: 10349 + +#! Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. +#!enablePrometheusMetrics: true + +#! Indicates whether to use auto-generated self-signed TLS certificate. +#! If false, A Secret named "antrea-controller-tls" must be provided with the following keys: +#! ca.crt: +#! tls.crt: +#! tls.key: +#! And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the +#! antrea-controller container. +#! selfSignedCert: true + +#! Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. +#! https://golang.org/pkg/crypto/tls/#pkg-constants +#! Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always +#! prefer TLS1.3 Cipher Suites whenever possible. +tlsCipherSuites: #@ values.antrea.config.tlsCipherSuites + +#! TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. +#!tlsMinVersion: + +#! If Antrea is upgraded from version <= v0.13 and legacy CRDs are used, this option should be +#! enabled, otherwise the CRDs created with the legacy API groups will not take any effect and +#! work as expected. When the mirroring is enabled, if a legacy CRD is created with legacy API +#! groups, mirroring-controller will create a new CRD with the Spec and Labels from the legacy +#! CRD. Afterwards, the modification of Spec and Label in legacy CRD will be synchronized to new +#! CRD automatically. In addition, the modification of Status in new CRD will also be synchronized +#! to legacy CRD automatically. If a legacy CRD is deleted, the corresponding new CRD will be deleted. +#! Note that: to decouple a new CRD from the corresponding legacy CRD, the legacy CRD should be +#! annotated with "crd.antrea.io/stop-mirror". Afterwards, updates to the legacy CRDs will no +#! longer be reflected in the new CRD, and all CRUD operations should be done through the new +#! API groups. After adding the annotation, legacy CRDs can be deleted safely without impacting +#! new CRDs. +#! legacyCRDMirroring: true + +nodeIPAM: +#! Enable the integrated Node IPAM controller within the Antrea controller. +#! enableNodeIPAM: #@ values.antrea.config.nodeIPAM + +#! CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. +#! The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. +#! Value ignored when enableNodeIPAM is false. +#! clusterCIDRs: [] + +#! CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. +#! Value ignored when enableNodeIPAM is false. +#! serviceCIDR: +#! serviceCIDRv6: + +#! Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false +#! or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. +#! nodeCIDRMaskSizeIPv6: 64 + + +#! Enable usage reporting (telemetry) to VMware. +#@ if/end values.antrea.config.enableUsageReporting: +enableUsageReporting: #@ values.antrea.config.enableUsageReporting +#@ end + + +#@ def antrea_agent_tweaker_conf(): +#! Enable disableUdpTunnelOffload will disable udp tunnel offloading feature on kubernetes node's default interface. +#! By default, no actions will be taken. +disableUdpTunnelOffload: #@ values.antrea.config.disableUdpTunnelOffload +#@ end + + +#! Antrea agent and controller configuration +#@overlay/match by=overlay.subset({"kind":"ConfigMap","metadata":{"name": "antrea-config"}}) +--- +kind: ConfigMap +data: + antrea-agent.conf: #@ yaml.encode(antrea_agent_conf()) + antrea-controller.conf: #@ yaml.encode(antrea_controller_conf()) + + +#! Antrea agent tweaker configuration +#@overlay/match by=overlay.subset({"kind":"ConfigMap","metadata":{"name": "antrea-agent-tweaker"}}) +--- +kind: ConfigMap +data: + antrea-agent-tweaker.conf: #@ yaml.encode(antrea_agent_tweaker_conf()) + + +#@overlay/match by=overlay.subset({"kind":"Deployment","metadata":{"name": "antrea-controller"}}) +--- +kind: Deployment +metadata: + name: antrea-controller + #@overlay/match missing_ok=True + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" + + +#@overlay/match by=overlay.subset({"kind":"DaemonSet","metadata":{"name": "antrea-agent"}}) +--- +kind: DaemonSet +metadata: + #@overlay/match missing_ok=True + annotations: + kapp.k14s.io/disable-default-label-scoping-rules: "" diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/interworking-bootstrap-overlay.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/interworking-bootstrap-overlay.yaml new file mode 100644 index 00000000000..f54c2366e1c --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/interworking-bootstrap-overlay.yaml @@ -0,0 +1,28 @@ +#! interworking-bootstrap-overlay.yaml + +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:yaml", "yaml") +#@ load("/values.star", "values") + +#! Antrea-interworking-bootstrap-config-secret +#@overlay/match by=overlay.subset({"kind":"Secret","metadata":{"name": "nsx-cert"}}) +#@ if/end values.antrea_nsx.enable: +--- +kind: Secret +data: + tls.crt: #@ values.antrea_interworking.config.nsxCert + tls.key: #@ values.antrea_interworking.config.nsxKey + +#@ def antrea_interworking_bootstrap_conf(): +clusterName: #@ values.antrea_interworking.config.clusterName +NSXManagers: #@ values.antrea_interworking.config.NSXManagers +vpcPath: #@ values.antrea_interworking.config.vpcPath +#@ end + +#! Antrea-interworking-bootstrap-config +#@overlay/match by=overlay.subset({"kind":"ConfigMap","metadata":{"name": "bootstrap-config"}}) +#@ if/end values.antrea_nsx.enable: +--- +kind: ConfigMap +data: + bootstrap.conf: #@ yaml.encode(antrea_interworking_bootstrap_conf()) diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/interworking-overlay.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/interworking-overlay.yaml new file mode 100644 index 00000000000..07cde80c6c6 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/interworking-overlay.yaml @@ -0,0 +1,40 @@ +#! interworking-overlay.yaml + +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:yaml", "yaml") +#@ load("/values.star", "values") + +#@ def antrea_interworking_mp_adapter_conf(): +NSXClientTimeout: #@ values.antrea_interworking.config.mp_adapter_conf.NSXClientTimeout +InventoryBatchSize: #@ values.antrea_interworking.config.mp_adapter_conf.InventoryBatchSize +InventoryBatchPeriod: #@ values.antrea_interworking.config.mp_adapter_conf.InventoryBatchPeriod +EnableDebugServer: #@ values.antrea_interworking.config.mp_adapter_conf.EnableDebugServer +APIServerPort: #@ values.antrea_interworking.config.mp_adapter_conf.APIServerPort +DebugServerPort: #@ values.antrea_interworking.config.mp_adapter_conf.DebugServerPort +NSXRPCDebug: #@ values.antrea_interworking.config.mp_adapter_conf.NSXRPCDebug +ConditionTimeout: #@ values.antrea_interworking.config.mp_adapter_conf.ConditionTimeout +#@ end + + +#@ def antrea_interworking_ccp_adapter_conf(): +EnableDebugServer: #@ values.antrea_interworking.config.ccp_adapter_conf.EnableDebugServer +APIServerPort: #@ values.antrea_interworking.config.ccp_adapter_conf.APIServerPort +DebugServerPort: #@ values.antrea_interworking.config.ccp_adapter_conf.DebugServerPort +NSXRPCDebug: #@ values.antrea_interworking.config.ccp_adapter_conf.NSXRPCDebug +RealizeTimeoutSeconds: #@ values.antrea_interworking.config.ccp_adapter_conf.RealizeTimeoutSeconds +RealizeErrorSyncIntervalSeconds: #@ values.antrea_interworking.config.ccp_adapter_conf.RealizeErrorSyncIntervalSeconds +ReconcilerWorkerCount: #@ values.antrea_interworking.config.ccp_adapter_conf.ReconcilerWorkerCount +ReconcilerQPS: #@ values.antrea_interworking.config.ccp_adapter_conf.ReconcilerQPS +ReconcilerBurst: #@ values.antrea_interworking.config.ccp_adapter_conf.ReconcilerBurst +ReconcilerResyncSeconds: #@ values.antrea_interworking.config.ccp_adapter_conf.ReconcilerResyncSeconds +#@ end + + +#! Antrea-interworking-config +#@overlay/match by=overlay.subset({"kind":"ConfigMap","metadata":{"name": "antrea-interworking-config"}}) +#@ if/end values.antrea_nsx.enable: +--- +kind: ConfigMap +data: + mp-adapter.conf: #@ yaml.encode(antrea_interworking_mp_adapter_conf()) + ccp-adapter.conf: #@ yaml.encode(antrea_interworking_ccp_adapter_conf()) diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/update-strategy-overlay.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/update-strategy-overlay.yaml new file mode 100644 index 00000000000..a243acf1462 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/overlay/update-strategy-overlay.yaml @@ -0,0 +1,22 @@ +#@ load("@ytt:overlay", "overlay") +#@ load("@ytt:data", "data") + +#! We are adding this overlay in the package to accommodate the need from vSphere supervisor cluster: +#! `deployment.spec.strategy.type` is configured to `RollingUpdate` +#! `deployment.spec.strategy.rollingUpdate.maxUnavailable` is set to `0`. +#! `deployment.spec.strategy.rollingUpdate.maxSurge` is set to `1`. +#! `deployment.spec.template.spec.nodeSelector`is set to target only `Nodes` +#! `daemonset.spec.updateStrategy.type` is configured to `OnDelete` +#! This overlay makes configuring the above parameters possible +#! Reference: https://github.com/vmware-tanzu/tanzu-framework/issues/1850 + + +#@overlay/match expects="0+",by=overlay.subset({"kind":"DaemonSet"}) +--- +kind: DaemonSet +spec: + #@ if data.values.daemonset.updateStrategy: + #@overlay/match missing_ok=True + updateStrategy: + type: #@ data.values.daemonset.updateStrategy + #@ end diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/schema.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/schema.yaml new file mode 100644 index 00000000000..9b85663b3ce --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/schema.yaml @@ -0,0 +1,216 @@ +#! schema.yaml + +#@data/values-schema +#@schema/desc "OpenAPIv3 Schema for antrea" +--- +#@schema/desc "The cloud provider in use. One of the following options => aws, azure, vsphere, docker" +infraProvider: vsphere +#@schema/desc "NodeSelector configuration applied to all the deployments" +#@schema/type any=True +nodeSelector: +deployment: + #@schema/desc "Update strategy of deployments" + #@schema/nullable + updateStrategy: "" + rollingUpdate: + #@schema/desc "The maxUnavailable of rollingUpdate. Applied only if RollingUpdate is used as updateStrategy" + #@schema/nullable + maxUnavailable: 1 + #@schema/desc "The maxSurge of rollingUpdate. Applied only if RollingUpdate is used as updateStrategy" + #@schema/nullable + maxSurge: 0 +daemonset: + #@schema/desc "Update strategy of daemonsets" + #@schema/nullable + updateStrategy: "" +antrea: + #@schema/desc "Configuration for antrea" + config: + #@schema/desc "Control SNAT IPs of Pod egress traffic." + egress: + #@schema/desc "The CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses." + exceptCIDRs: + - "" + nodePortLocal: + #@schema/desc "Enable NodePortLocal feature." + enabled: false + #@schema/desc "Provide the port range used by NodePortLocal." + portRange: "" + #@schema/desc "AntreaProxy related configuration options." + antreaProxy: + #@schema/desc "ProxyAll tells antrea-agent to proxy all Service traffic." + proxyAll: false + #@schema/desc "Specifies the host IPv4/IPv6 addresses for NodePort." + nodePortAddresses: + - "" + #@schema/desc "List of Services which should be ignored by AntreaProxy." + skipServices: + - "" + #@schema/desc "Load-balance traffic destined to the External IPs of LoadBalancer services." + proxyLoadBalancerIPs: false + #@schema/desc "FlowExporter related configuration options." + flowExporter: + #@schema/desc "Provide the IPFIX collector address as a string." + collectorAddress: "" + #@schema/desc "Provide flow poll interval as a duration string." + pollInterval: "" + #@schema/desc "Provide the active flow export timeout." + activeFlowTimeout: "" + #@schema/desc "Provide the idle flow export timeout." + idleFlowTimeout: "" + #@schema/desc "Provide the address of Kubernetes apiserver." + #@schema/nullable + kubeAPIServerOverride: "" + #@schema/desc "The name of the interface on Node which is used for tunneling or routing the traffic." + #@schema/nullable + transportInterface: "" + #@schema/desc "The network CIDRs of the interface on Node which is used for tunneling or routing the traffic." + transportInterfaceCIDRs: + - "" + #@schema/desc "Tunnel protocols used for encapsulating traffic across Nodes. One of the following options => geneve, vxlan, gre, stt" + tunnelType: none + #@schema/desc "Determines how tunnel traffic is encrypted. One of the following options => none, ipsec, wireGuard" + trafficEncryptionMode: none + #@schema/desc "WireGuard related configurations." + wireGuard: + #@schema/desc "The port for WireGuard to receive traffic." + port: 51820 + #@schema/desc "Enable usage reporting (telemetry) to VMware." + enableUsageReporting: false + #@schema/desc "ClusterIP CIDR range for IPv4 Services" + #@schema/nullable + serviceCIDR: 10.96.0.0/12 + #@schema/desc "ClusterIP CIDR range for IPv6 Services" + #@schema/nullable + serviceCIDRv6: "" + #@schema/desc "The traffic encapsulation mode. One of the following options => encap, noEncap, hybrid, networkPolicyOnly" + trafficEncapMode: encap + #@schema/desc "Flag to enable/disable SNAT for the egress traffic from a Pod to the external network" + noSNAT: false + #@schema/desc "Disable UDP tunnel offload feature on default NIC" + disableUdpTunnelOffload: false + #@schema/desc "Default MTU to use for the host gateway interface and the network interface of each Pod" + #@schema/nullable + defaultMTU: "" + #@schema/desc "List of allowed cipher suites. If omitted, the default Go Cipher Suites will be used" + tlsCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384 + #@schema/desc "Enable bridging mode of Pod network on Nodes." + enableBridgingMode: false + #@schema/desc "Disable TX checksum offloading for container network interfaces" + disableTXChecksumOffload: false + #@schema/desc "Provide the address of DNS server, to override the kube-dns service" + #@schema/nullable + dnsServerOverride: "" + #@schema/desc "The names of the interfaces on Nodes that are used to forward multicast traffic." + multicastInterfaces: + - "" + #@schema/desc "Multicast related configuration options" + multicast: + #@schema/desc "The interval at which the antrea-agent sends IGMP queries to Pods." + igmpQueryInterval: "125s" + #@schema/desc "Multicluster related configurations" + multicluster: + #@schema/desc "Enable Antrea Multi-cluster Gateway to support cross-cluster traffic." + enable: false + #@schema/desc "The Namespace where Antrea Multi-cluster Controller is running.Default is antrea-agent's Namespace" + #@schema/nullable + namespace: "" + #@schema/desc "FeatureGates is a map of feature names to flags that enable or disable experimental features" + featureGates: + #@schema/desc "Flag to enable/disable antrea proxy" + AntreaProxy: true + #@schema/desc "Flag to enable/disable EndpointSlice support in AntreaProxy. If AntreaProxy is not enabled, this flag will not take effect" + EndpointSlice: false + #@schema/desc "Flag to enable/disable antrea traceflow" + AntreaTraceflow: true + #@schema/desc "Flag to enable/disable NodePortLocal feature to make the pods reachable externally through NodePort" + NodePortLocal: true + #@schema/desc "Flag to enable/disable antrea policy" + AntreaPolicy: true + #@schema/desc "Flag to enable/disable flow exporter" + FlowExporter: false + #@schema/desc "Flag to enable/disable network policy stats" + NetworkPolicyStats: false + #@schema/desc "Flag to enable/disable SNAT IPs of Pod egress traffic" + Egress: true + #@schema/desc "Flag to enable/disable flexible IPAM mode" + AntreaIPAM: false + #@schema/desc "Flag to enable/disable managing external IPs for Load balancers services" + ServiceExternalIP: false + #@schema/desc "Flag to enable/disable multicast traffic" + Multicast: false + #@schema/desc "Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.This feature is supported only with encap mode." + Multicluster: false + #@schema/desc "Enable support for provisioning secondary network interfaces for Pods (using Pod annotations)." + SecondaryNetwork: false + #@schema/desc "Enable mirroring or redirecting the traffic Pods send or receive." + TrafficControl: false +antrea_nsx: + enable: false +antrea_interworking: + #@schema/desc "Configuration for antrea-interworking" + config: + #@schema/desc "echo -n 'dummyAdmin' | base64" + nsxUser: ZHVtbXlBZG1pbg== + #@schema/desc " echo -n 'dummyPassword' | base64" + nsxPassword: ZHVtbXlQYXNzd29yZA== + #@schema/desc "base64 encoded data" + nsxCert: ZHVtbXlBZG1pbg== + #@schema/desc "base64 encoded data" + nsxKey: ZHVtbXlQYXNzd29yZA== + #@schema/desc " " + clusterName: dummyClusterName + #@schema/desc " " + NSXManagers: [dummyNSXIP1] + #@schema/desc " " + vpcPath: dummyVPCPath + #@schema/desc " " + mp_adapter_conf: + #@schema/desc " " + NSXClientTimeout: 120 + #@schema/desc " " + InventoryBatchSize: 50 + #@schema/desc " " + InventoryBatchPeriod: 5 + #@schema/desc " " + EnableDebugServer: false + #@schema/desc " " + APIServerPort: 16664 + #@schema/desc " " + DebugServerPort: 16666 + #@schema/desc " " + NSXRPCDebug: false + #@schema/desc "#in second" + ConditionTimeout: 150 + #@schema/desc " " + ccp_adapter_conf: + #@schema/desc " " + EnableDebugServer: false + #@schema/desc " " + APIServerPort: 16665 + #@schema/desc " " + DebugServerPort: 16667 + #@schema/desc " " + NSXRPCDebug: false + #@schema/desc "# Time to wait for realization" + RealizeTimeoutSeconds: 60 + #@schema/desc "# An interval for regularly report latest realization error in background" + RealizeErrorSyncIntervalSeconds: 600 + #@schema/desc " " + ReconcilerWorkerCount: 8 + #@schema/desc "# Average QPS = ReconcilerWorkerCount * ReconcilerQPS" + ReconcilerQPS: 5.0 + #@schema/desc "# Peak QPS = ReconcilerWorkerCount * ReconcilerBurst" + ReconcilerBurst: 10 + #@schema/desc "# 24 Hours" + ReconcilerResyncSeconds: 86400 + #! Deprecated. Kept for backward compatibility + image: + #@schema/desc "The repository of antrea image" + repository: "" + #@schema/desc "The path of image" + path: "" + #@schema/desc "The image tag" + tag: "" + #@schema/desc "The pull policy of image" + pullPolicy: IfNotPresent diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/upstream/antrea.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/upstream/antrea.yaml new file mode 100644 index 00000000000..4ebb424a5b5 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/upstream/antrea.yaml @@ -0,0 +1,4352 @@ +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/agent/tweakerconfigmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-agent-tweaker + namespace: kube-system + labels: + app: antrea +data: + antrea-agent-tweaker.conf: |- + # Enable disableUdpTunnelOffload will disable udp tunnel offloading feature on kubernetes node's default interface. + # By default, no actions will be taken. + disableUdpTunnelOffload: false +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "encap" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: true + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true + + # Indicates whether to enable usage reporting or not. + enableUsageReporting: false + + # Indicates whether to enable Antrea advanced features or not. + enterpriseAntrea: true +--- +# Source: antrea/templates/crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreaagentinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai +--- +# Source: antrea/templates/crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreacontrollerinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci +--- +# Source: antrea/templates/crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" + scope: Cluster + names: + plural: clustergroups + singular: clustergroup + kind: ClusterGroup + shortNames: + - cg +--- +# Source: antrea/templates/crds/clusternetworkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusternetworkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +# Source: antrea/templates/crds/egress.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg +--- +# Source: antrea/templates/crds/externalentity.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee +--- +# Source: antrea/templates/crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip +--- +# Source: antrea/templates/crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + type: object + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp +--- +# Source: antrea/templates/crds/networkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp +--- +# Source: antrea/templates/crds/tier.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tiers.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Priority + type: integer + description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - priority + type: object + properties: + priority: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr +--- +# Source: antrea/templates/crds/tierentitlement.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tierentitlements.crd.antrea.tanzu.vmware.com + labels: + app: antrea +spec: + group: crd.antrea.tanzu.vmware.com + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - permission + - tiers + type: object + properties: + permission: + type: string + enum: ['edit'] + tiers: + type: array + items: + type: string + scope: Cluster + names: + plural: tierentitlements + singular: tierentitlement + kind: TierEntitlement + shortNames: + - te +--- +# Source: antrea/templates/crds/tierentitlementbinding.yml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tierentitlementbindings.crd.antrea.tanzu.vmware.com + labels: + app: antrea +spec: + group: crd.antrea.tanzu.vmware.com + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - tierEntitlement + - subjects + type: object + properties: + tierEntitlement: + type: string + subjects: + type: array + items: + type: object + properties: + kind: + type: string + enum: ['User', 'Group', 'ServiceAccount'] + apiGroup: + type: string + enum: ['rbac.authorization.k8s.io'] + name: + type: string + namespace: + type: string + scope: Cluster + names: + plural: tierentitlementbindings + singular: tierentitlementbinding + kind: TierEntitlementBinding + shortNames: + - teb +--- +# Source: antrea/templates/crds/traceflow.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: + type: object + properties: + id: + type: integer + sequence: + type: integer + udp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + tcp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: + type: array + items: + type: object + properties: + node: + type: string + role: + type: string + timestamp: + type: integer + observations: + type: array + items: + type: object + properties: + component: + type: string + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: + type: integer + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf +--- +# Source: antrea/templates/crds/trafficcontrol.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: trafficcontrols.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + - direction + - action + - targetPort + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + direction: + type: string + enum: + - Ingress + - Egress + - Both + action: + type: string + enum: + - Mirror + - Redirect + targetPort: + type: object + oneOf: + - required: [ovsInternal] + - required: [device] + - required: [geneve] + - required: [vxlan] + - required: [gre] + - required: [erspan] + properties: + ovsInternal: + type: object + required: + - name + properties: + name: + type: string + device: + type: object + required: + - name + properties: + name: + type: string + geneve: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + vxlan: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + gre: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + key: + type: integer + minimum: 0 + maximum: 4294967295 + erspan: + type: object + required: + - remoteIP + - version + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + sessionID: + type: integer + minimum: 0 + maximum: 1023 + version: + type: integer + enum: + - 1 + - 2 + index: + type: integer + dir: + type: integer + enum: + - 0 + - 1 + hardwareID: + type: integer + returnPort: + type: object + oneOf: + - required: [ovsInternal] + - required: [device] + - required: [geneve] + - required: [vxlan] + - required: [gre] + properties: + ovsInternal: + type: object + required: + - name + properties: + name: + type: string + device: + type: object + required: + - name + properties: + name: + type: string + geneve: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + vxlan: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + gre: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + key: + type: integer + minimum: 0 + maximum: 4294967295 + additionalPrinterColumns: + - description: Specifies the direction of traffic that should be matched. + jsonPath: .spec.direction + name: Direction + type: string + - description: Specifies the action that should be taken for the traffic. + jsonPath: .spec.action + name: Action + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: trafficcontrols + singular: trafficcontrol + kind: TrafficControl + shortNames: + - tc +--- +# Source: antrea/templates/agent/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - apiGroups: + - "" + resources: + - endpoints + - services + - namespaces + verbs: + - get + - watch + - list + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - egressgroups + verbs: + - get + - watch + - list + - apiGroups: + - controlplane.antrea.io + resources: + - nodestatssummaries + verbs: + - create + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies/status + verbs: + - create + - get + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - egresses/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + - trafficcontrols + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - ippools/status + verbs: + - update + - apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - watch + - list + - create + - apiGroups: + - multicluster.crd.antrea.io + resources: + - gateways + verbs: + - get + - list + - watch + - apiGroups: + - multicluster.crd.antrea.io + resources: + - clusterinfoimports + verbs: + - get + - list + - watch +--- +# Source: antrea/templates/antctl/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antctl + labels: + app: antrea +rules: + - apiGroups: + - controlplane.antrea.io + resources: + - networkpolicies + - appliedtogroups + - addressgroups + verbs: + - get + - list + - apiGroups: + - stats.antrea.io + resources: + - networkpolicystats + - antreaclusternetworkpolicystats + - antreanetworkpolicystats + verbs: + - get + - list + - apiGroups: + - system.antrea.io + resources: + - controllerinfos + - agentinfos + verbs: + - get + - apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - post + - apiGroups: + - system.antrea.io + resources: + - supportbundles/download + verbs: + - get + - nonResourceURLs: + - /agentinfo + - /addressgroups + - /appliedtogroups + - /loglevel + - /networkpolicies + - /ovsflows + - /ovstracing + - /podinterfaces + - /featuregates + - /serviceexternalip + verbs: + - get +--- +# Source: antrea/templates/cluster-identity-reader/clusterrolebinding.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-cluster-identity-reader + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-cluster-identity + verbs: + - get +--- +# Source: antrea/templates/controller/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller + labels: + app: antrea +rules: + - apiGroups: + - "" + resources: + - pods + - services + - namespaces + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch + - apiGroups: + - "" + resources: + - services/status + verbs: + - update + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - watch + - list + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - update + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-controller) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-ca + - antrea-ipsec-ca + - antrea-cluster-identity + verbs: + - get + - update + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - antrea-ipsec-ca + verbs: + - get + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - create + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - antrea-config + verbs: + - get + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1alpha1.stats.antrea.io + - v1beta1.system.antrea.io + - v1beta2.controlplane.antrea.io + verbs: + - get + - update + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + resourceNames: + - v1beta1.networking.antrea.tanzu.vmware.com + - v1beta1.controlplane.antrea.tanzu.vmware.com + - v1alpha1.stats.antrea.tanzu.vmware.com + - v1beta1.system.antrea.tanzu.vmware.com + - v1beta2.controlplane.antrea.tanzu.vmware.com + verbs: + - delete + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + resourceNames: + # always give permissions for labelsmutator.antrea.io, even when the + # feature is disabled, to avoid errors in antrea-controller when updating + # the CA cert. + - labelsmutator.antrea.io + - crdmutator.antrea.io + - crdvalidator.antrea.io + verbs: + - get + - update + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: + - update + - apiGroups: + - certificates.k8s.io + resources: + - signers + resourceNames: + - antrea.io/antrea-agent-ipsec-tunnel + verbs: + - approve + - sign + - apiGroups: + - crd.antrea.io + resources: + - antreacontrollerinfos + verbs: + - get + - create + - update + - delete + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + verbs: + - list + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies/status + - networkpolicies/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - tiers + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - externalentities + - clustergroups + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clustergroups/status + verbs: + - update + - apiGroups: + - crd.antrea.io + resources: + - egresses + verbs: + - get + - watch + - list + - update + - patch + - apiGroups: + - crd.antrea.io + resources: + - externalippools + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - externalippools/status + - ippools/status + verbs: + - update + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - crd.antrea.tanzu.vmware.com + resources: + - tierentitlements + - tierentitlementbindings + verbs: + - get + - watch + - list +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-antrea-policies-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-policies-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clusternetworkpolicies", "networkpolicies"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-traceflows-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-traceflows-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["traceflows"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-antrea-clustergroups-edit + labels: + app: antrea + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: antrea/templates/crds-rbac/clusterroles.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: aggregate-antrea-clustergroups-view + labels: + app: antrea + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["crd.antrea.io"] + resources: ["clustergroups"] + verbs: ["get", "list", "watch"] +--- +# Source: antrea/templates/agent/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-agent + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-agent +subjects: + - kind: ServiceAccount + name: antrea-agent + namespace: kube-system +--- +# Source: antrea/templates/antctl/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea + name: antctl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antctl +subjects: + - kind: ServiceAccount + name: antctl + namespace: kube-system +--- +# Source: antrea/templates/controller/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: antrea-controller + labels: + app: antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-controller +subjects: + - kind: ServiceAccount + name: antrea-controller + namespace: kube-system +--- +# Source: antrea/templates/controller/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: antrea + namespace: kube-system + labels: + app: antrea +spec: + ports: + - port: 443 + protocol: TCP + targetPort: api + selector: + app: antrea + component: antrea-controller +--- +# Source: antrea/templates/agent/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea + component: antrea-agent +spec: + selector: + matchLabels: + app: antrea + component: antrea-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + annotations: + # Starting with v1.21, Kubernetes supports default container annotation. + # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-agent" when troubleshooting. + kubectl.kubernetes.io/default-container: antrea-agent + # Automatically restart Pods with a RollingUpdate if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: ea61360cc22dff22cc94fba060568c110d5bac03638203b7f0ec04282129d6e5 + checksum/tweaker-config: 2d2c4693a82ee4f18de916ab3a50276d064eb8058a673f7e6b7719b9e5c21190 + labels: + app: antrea + component: antrea-agent + spec: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + priorityClassName: system-node-critical + nodeSelector: + kubernetes.io/os: linux + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: antrea-agent + initContainers: + - name: antrea-agent-tweaker + image: "antrea/antrea-ubuntu:v1.7.1" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + command: ["antrea-agent-tweaker"] + args: ["--config", "/etc/antrea/antrea-agent-tweaker.conf"] + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - name: antrea-agent-tweaker-config + mountPath: /etc/antrea/antrea-agent-tweaker.conf + subPath: antrea-agent-tweaker.conf + - name: install-cni + image: "antrea/antrea-ubuntu:v1.7.1" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + command: ["install_cni"] + securityContext: + capabilities: + add: + # SYS_MODULE is required to load the OVS kernel module. + - SYS_MODULE + env: + # SKIP_CNI_BINARIES takes in values as a comma separated list of + # binaries that need to be skipped for installation, e.g. "portmap, bandwidth". + - name: SKIP_CNI_BINARIES + value: "" + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-cni.conflist + subPath: antrea-cni.conflist + readOnly: true + - name: host-cni-conf + mountPath: /host/etc/cni/net.d + - name: host-cni-bin + mountPath: /host/opt/cni/bin + # For loading the OVS kernel module. + - name: host-lib-modules + mountPath: /lib/modules + readOnly: true + # For changing the default permissions of the run directory. + - name: host-var-run-antrea + mountPath: /var/run/antrea + containers: + - name: antrea-agent + image: "antrea/antrea-ubuntu:v1.7.1" + imagePullPolicy: IfNotPresent + command: ["antrea-agent"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- + args: + - "--config=/etc/antrea/antrea-agent.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + requests: + cpu: 200m + ports: + - containerPort: 10350 + name: api + protocol: TCP + livenessProbe: + exec: + command: + - /bin/sh + - -c + - container_liveness_probe agent + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + # In large-scale clusters, it may take up to 40~50 seconds for the antrea-agent to reconnect to the antrea + # Service after the antrea-controller restarts. The antrea-agent shouldn't be reported as NotReady in this + # scenario, otherwise the DaemonSet controller would restart all agents at once, as opposed to performing a + # rolling update. Set failureThreshold to 8 so it can tolerate 70s of disconnection. + failureThreshold: 8 + securityContext: + # antrea-agent needs to perform sysctl configuration. + privileged: true + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-agent.conf + subPath: antrea-agent.conf + readOnly: true + - name: host-var-run-antrea + mountPath: /var/run/antrea + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + # host-local IPAM stores allocated IP addresses as files in /var/lib/cni/networks/$NETWORK_NAME. + # Mount a sub-directory of host-var-run-antrea to it for persistence of IP allocation. + - name: host-var-run-antrea + mountPath: /var/lib/cni + subPath: cni + # We need to mount both the /proc directory and the /var/run/netns directory so that + # antrea-agent can open the network namespace path when setting up Pod + # networking. Different container runtimes may use /proc or /var/run/netns when invoking + # the CNI commands. Docker uses /proc and containerd uses /var/run/netns. + - name: host-var-log-antrea + mountPath: /var/log/antrea + - name: host-proc + mountPath: /host/proc + readOnly: true + - name: host-var-run-netns + mountPath: /host/var/run/netns + readOnly: true + # When a container is created, a mount point for the network namespace is added under + # /var/run/netns on the host, which needs to be propagated to the antrea-agent container. + mountPropagation: HostToContainer + - name: xtables-lock + mountPath: /run/xtables.lock + - name: antrea-ovs + image: "antrea/antrea-ubuntu:v1.7.1" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["start_ovs"] + args: + - "--log_file_max_size=100" + - "--log_file_max_num=4" + securityContext: + # capabilities required by OVS daemons + capabilities: + add: + - SYS_NICE + - NET_ADMIN + - SYS_ADMIN + - IPC_LOCK + livenessProbe: + exec: + # docker CRI doesn't honor timeoutSeconds, add "timeout" to the command as a workaround. + # https://github.com/kubernetes/kubernetes/issues/51901 + command: + - /bin/sh + - -c + - timeout 10 container_liveness_probe ovs + initialDelaySeconds: 5 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: host-var-run-antrea + mountPath: /var/run/openvswitch + subPath: openvswitch + - name: host-var-log-antrea + mountPath: /var/log/openvswitch + subPath: openvswitch + volumes: + - name: antrea-config + configMap: + name: antrea-config + - name: antrea-agent-tweaker-config + configMap: + name: antrea-agent-tweaker + - name: host-cni-conf + hostPath: + path: /etc/cni/net.d + - name: host-cni-bin + hostPath: + path: /opt/cni/bin + - name: host-proc + hostPath: + path: /proc + - name: host-var-run-netns + hostPath: + path: /var/run/netns + - name: host-var-run-antrea + hostPath: + path: /var/run/antrea + # we use subPath to create run subdirectories for different component (e.g. OVS) and + # subPath requires the base volume to exist + type: DirectoryOrCreate + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + # we use subPath to create logging subdirectories for different component (e.g. OVS) + type: DirectoryOrCreate + - name: host-lib-modules + hostPath: + path: /lib/modules + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate +--- +# Source: antrea/templates/controller/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea + component: antrea-controller +spec: + strategy: + # Ensure the existing Pod is stopped before the new one is created. + type: Recreate + selector: + matchLabels: + app: antrea + component: antrea-controller + replicas: 1 + template: + metadata: + annotations: + # Automatically restart Pod if the ConfigMap changes + # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments + checksum/config: ea61360cc22dff22cc94fba060568c110d5bac03638203b7f0ec04282129d6e5 + labels: + app: antrea + component: antrea-controller + spec: + nodeSelector: + kubernetes.io/os: linux + hostNetwork: true + priorityClassName: system-cluster-critical + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + serviceAccountName: antrea-controller + containers: + - name: antrea-controller + image: "antrea/antrea-ubuntu:v1.7.1" + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 200m + command: ["antrea-controller"] + # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work). + args: + - "--config=/etc/antrea/antrea-controller.conf" + - "--logtostderr=false" + - "--log_dir=/var/log/antrea" + - "--alsologtostderr" + - "--log_file_max_size=100" + - "--log_file_max_num=4" + env: + # Provide pod and node information for clusterinformation CRD. + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Provide ServiceAccount name for validation webhook. + - name: SERVICEACCOUNT_NAME + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ANTREA_CONFIG_MAP_NAME + value: antrea-config + ports: + - containerPort: 10349 + name: api + protocol: TCP + readinessProbe: + httpGet: + host: localhost + path: /readyz + port: api + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + livenessProbe: + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 5 + volumeMounts: + - name: antrea-config + mountPath: /etc/antrea/antrea-controller.conf + subPath: antrea-controller.conf + readOnly: true + - name: antrea-controller-tls + mountPath: /var/run/antrea/antrea-controller-tls + - name: host-var-log-antrea + mountPath: /var/log/antrea + volumes: + - name: antrea-config + configMap: + name: antrea-config + # Make it optional as we only read it when selfSignedCert=false. + - name: antrea-controller-tls + secret: + secretName: "antrea-controller-tls" + defaultMode: 0400 + optional: true + - name: host-var-log-antrea + hostPath: + path: /var/log/antrea + type: DirectoryOrCreate +--- +# Source: antrea/templates/controller/apiservices.yaml +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta2.controlplane.antrea.io + labels: + app: antrea +spec: + group: controlplane.antrea.io + groupPriorityMinimum: 100 + version: v1beta2 + versionPriority: 100 + service: + name: antrea + namespace: kube-system +--- +# Source: antrea/templates/controller/apiservices.yaml +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.system.antrea.io + labels: + app: antrea +spec: + group: system.antrea.io + groupPriorityMinimum: 100 + version: v1beta1 + versionPriority: 100 + service: + name: antrea + namespace: kube-system +--- +# Source: antrea/templates/controller/apiservices.yaml +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.stats.antrea.io + labels: + app: antrea +spec: + group: stats.antrea.io + groupPriorityMinimum: 100 + version: v1alpha1 + versionPriority: 100 + service: + name: antrea + namespace: kube-system +--- +# Source: antrea/templates/webhooks/mutating/crdmutator.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: "crdmutator.antrea.io" + labels: + app: antrea +webhooks: + - name: "acnpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/acnp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpmutator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/mutate/anp" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 +--- +# Source: antrea/templates/webhooks/validating/crdvalidator.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: "crdvalidator.antrea.io" + labels: + app: antrea +webhooks: + - name: "tiervalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/tier" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["tiers"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "acnpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/acnp" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["clusternetworkpolicies"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "anpvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/anp" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha1"] + resources: ["networkpolicies"] + scope: "Namespaced" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "clustergroupvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/clustergroup" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha3", "v1alpha2"] + resources: ["clustergroups"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "externalippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/externalippool" + rules: + - operations: ["UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["externalippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "egressvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/egress" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["egresses"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 + - name: "ippoolvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: kube-system + path: "/validate/ippool" + rules: + - operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["crd.antrea.io"] + apiVersions: ["v1alpha2"] + resources: ["ippools"] + scope: "Cluster" + admissionReviewVersions: ["v1", "v1beta1"] + sideEffects: None + timeoutSeconds: 5 diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/upstream/bootstrap-config.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/upstream/bootstrap-config.yaml new file mode 100644 index 00000000000..c4ed9bddcc5 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/upstream/bootstrap-config.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vmware-system-antrea + labels: + app: antrea-interworking + openshift.io/run-level: '0' +--- +# NOTE: In production the bootstrap config and secret should be filled by admin +# manually or external automation mechanism. +apiVersion: v1 +kind: ConfigMap +metadata: + name: bootstrap-config + namespace: vmware-system-antrea +data: + bootstrap.conf: | + # bootstrapFrom can be "Inline" and "SupervisorCluster" + # If "SupervisorCluster" is set, bootstrapSupervisorResourceName must be set, and clusterName, NSXManagers, vpcPath, + # ProxyEndpoints will be filled automatically by register job. + bootstrapFrom: "Inline" + # bootstrapSupervisorResourceName is required if bootstrapFrom is "SupervisorCluster" + # bootstrapSupervisorResourceName: dummyClusterName + + # Fill in the cluster name. It should be unique among the clusters managed by the NSX-T. + clusterName: dummyClusterName + # Fill in the NSX manager IPs. If there is only one IP, the value should be like [dummyNSXIP1] + NSXManagers: [dummyNSXIP1, dummyNSXIP2, dummyNSXIP3] + # vhcPath is deprecated by vpcPath + # vhcPath: "" + # vpcPath is optional. It's for multi-tenancy isolation in NSX. + vpcPath: "" + # proxyEndpoints is optional. If proxyEndpoints.rest-api is set, NSXManagers will be ignored. + proxyEndpoints: + rest-api: [] + nsx-rpc-fwd-proxy: [] +--- +apiVersion: v1 +kind: Secret +metadata: + name: nsx-cert + namespace: vmware-system-antrea +type: kubernetes.io/tls +data: + # One line base64 encoded data. Can be generated by command: cat tls.crt | base64 -w 0 + tls.crt: + # One line base64 encoded data. Can be generated by command: cat tls.key | base64 -w 0 + tls.key: diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/upstream/interworking.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/upstream/interworking.yaml new file mode 100644 index 00000000000..ce78cbedcc6 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/upstream/interworking.yaml @@ -0,0 +1,744 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea-interworking + name: antreaccpadapterinfos.clusterinformation.antrea-interworking.tanzu.vmware.com +spec: + group: clusterinformation.antrea-interworking.tanzu.vmware.com + names: + kind: AntreaCCPAdapterInfo + plural: antreaccpadapterinfos + shortNames: + - ccpainfo + singular: antreaccpadapterinfo + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea-interworking + name: antreampadapterinfos.clusterinformation.antrea-interworking.tanzu.vmware.com +spec: + group: clusterinformation.antrea-interworking.tanzu.vmware.com + names: + kind: AntreaMPAdapterInfo + plural: antreampadapterinfos + shortNames: + - mpainfo + singular: antreampadapterinfo + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vmware-system-antrea + labels: + app: antrea-interworking + openshift.io/run-level: '0' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-id + namespace: vmware-system-antrea +# NOTE: Register job will generate the ConfigMap data like below: +# data: +# cluster-id.conf: +# clusterID: A-UUID-String +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: antrea-interworking + name: antrea-interworking-config + namespace: vmware-system-antrea +data: + mp-adapter.conf: | + NSXRemoteAuth: false + NSXClientAuthCertFile: /etc/antrea/nsx-cert/tls.crt + NSXClientAuthKeyFile: /etc/antrea/nsx-cert/tls.key + NSXCAFile: "" + NSXInsecure: true + NSXClientTimeout: 120 + InventoryBatchSize: 50 + InventoryBatchPeriod: 5 + NSXRPCConnType: tnproxy + EnableDebugServer: false + APIServerPort: 16664 + DebugServerPort: 16666 + NSXRPCDebug: false + #in second + ConditionTimeout: 150 + #clusterType: kubernetes + ccp-adapter.conf: | + EnableDebugServer: false + APIServerPort: 16665 + DebugServerPort: 16667 + NSXRPCDebug: false + # Time to wait for realization + RealizeTimeoutSeconds: 60 + # An interval for regularly report latest realization error in background + RealizeErrorSyncIntervalSeconds: 600 + ReconcilerWorkerCount: 8 + # Average QPS = ReconcilerWorkerCount * ReconcilerQPS + ReconcilerQPS: 5.0 + # Peak QPS = ReconcilerWorkerCount * ReconcilerBurst + ReconcilerBurst: 10 + # 24 Hours + ReconcilerResyncSeconds: 86400 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea-interworking + name: register + namespace: vmware-system-antrea +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: antrea-interworking + name: register + namespace: vmware-system-antrea +rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - create + - update + - patch + - delete + - apiGroups: + - "apps" + resources: + - deployments + verbs: + - get + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: antrea-interworking + name: register + namespace: vmware-system-antrea +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: register +subjects: + - kind: ServiceAccount + name: register +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: antrea-interworking + name: vmware-system-antrea-register + namespace: default +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: antrea-interworking + name: vmware-system-antrea-register + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vmware-system-antrea-register +subjects: + - kind: ServiceAccount + name: register + namespace: vmware-system-antrea +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: antrea-interworking + name: interworking + namespace: vmware-system-antrea +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea-interworking + name: antrea-interworking +rules: + - apiGroups: + - "" + resources: + - nodes + - namespaces + - pods + - services + - endpoints + - configmaps + verbs: + - get + - watch + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' + - apiGroups: + - "" + resources: + - pods + verbs: + - patch + - apiGroups: + - clusterinformation.antrea-interworking.tanzu.vmware.com + resources: + - antreaccpadapterinfos + - antreampadapterinfos + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + - bootstrap-config + resources: + - configmaps + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - crd.antrea.io + resources: + - antreaagentinfos + - antreacontrollerinfos + - egresses + - ippools + verbs: + - get + - watch + - list + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + - ingresses + verbs: + - get + - watch + - list + - apiGroups: + - crd.antrea.io + resources: + - traceflows + - traceflows/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete + - apiGroups: + - crd.antrea.io + resources: + - clusternetworkpolicies + - networkpolicies + - tiers + - clustergroups + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + - apiGroups: + - controlplane.antrea.tanzu.vmware.com + - controlplane.antrea.io + resources: + - clustergroupmembers + - groupassociations + verbs: + - get + - list + - apiGroups: + - crd.antrea.tanzu.vmware.com + resources: + - tierentitlementbindings + - tierentitlements + - nsxregistrations + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + - apiGroups: + - stats.antrea.io + resources: + - antreaclusternetworkpolicystats + verbs: + - get + - list + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - watch + - list + - apiGroups: + - config.openshift.io + resources: + - networks + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea-interworking + name: antrea-interworking +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-interworking +subjects: + - kind: ServiceAccount + name: interworking + namespace: vmware-system-antrea +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: antrea-interworking + name: antrea-interworking-supportbundle +rules: + - apiGroups: + - "" + resources: + - pods + - pods/log + - nodes + - configmaps + verbs: + - get + - list + - apiGroups: + - "apps" + resources: + - deployments + - replicasets + - daemonsets + verbs: + - list + - apiGroups: + - system.antrea.io + resources: + - supportbundles + verbs: + - get + - create + - apiGroups: + - system.antrea.io + resources: + - controllerinfos + - supportbundles/download + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: antrea-interworking + name: antrea-interworking-supportbundle +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-interworking-supportbundle +subjects: + - kind: ServiceAccount + name: interworking + namespace: vmware-system-antrea +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: register + labels: + app: antrea-interworking + component: register + namespace: vmware-system-antrea +spec: + ttlSecondsAfterFinished: 600 + template: + spec: + containers: + - name: register + image: antrea-interworking/interworking-photon:0.7.1 + imagePullPolicy: IfNotPresent + command: [ "/usr/local/bin/cluster-registry" ] + args: + - register + - --logtostderr=false + - --log_dir=/var/log/interworking + - --alsologtostderr + - --log_file_max_size=5 + - --log_file_max_num=4 + volumeMounts: + - mountPath: /etc/antrea + name: projected-configs + readOnly: true + - mountPath: /var/log/interworking + name: host-var-log-interworking + restartPolicy: OnFailure + serviceAccountName: register + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + nodeSelector: + kubernetes.io/os: linux + volumes: + - name: host-var-log-interworking + hostPath: + path: /var/log/interworking + type: DirectoryOrCreate + - name: projected-configs + projected: + sources: + - configMap: + name: bootstrap-config + items: + - key: bootstrap.conf + path: bootstrap.conf + - configMap: + name: cluster-id + items: + - key: cluster-id.conf + path: cluster-id.conf + optional: true + - secret: + name: nsx-cert + items: + - key: tls.crt + path: nsx-cert/tls.crt + - key: tls.key + path: nsx-cert/tls.key + optional: true + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + backoffLimit: 3 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: antrea-interworking + component: interworking + name: interworking + namespace: vmware-system-antrea +spec: + replicas: 1 + selector: + matchLabels: + app: antrea-interworking + component: interworking + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + template: + metadata: + labels: + app: antrea-interworking + component: interworking + spec: + containers: + - name: election-runner + command: + - /usr/local/bin/election-runner + args: + - --id=$(POD_NAME) + - --namespace=vmware-system-antrea + - --ttl=60s + - --logtostderr=false + - --log_dir=/var/log/interworking/election-runner + - --alsologtostderr + - --log_file_max_size=5 + - --log_file_max_num=2 + - --v=4 + image: antrea-interworking/interworking-photon:0.7.1 + imagePullPolicy: IfNotPresent + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + volumeMounts: + - mountPath: /var/run/antrea-interworking + name: host-var-run-antrea-interworking + - mountPath: /var/log/interworking + name: host-var-log-interworking + - name: mp-adapter + command: + - /usr/local/bin/election-watcher + args: + - --cmd=mp-adapter + - --args=--bootstrap-config,/etc/antrea/bootstrap.conf,--config,/etc/antrea/mp-adapter.conf,--cluster-id-config,/etc/antrea/cluster-id.conf,--logtostderr=false,--log_dir=/var/log/interworking/mp-adapter,--alsologtostderr,--log_file_max_size=25,--log_file_max_num=4,--v=4 + - --logtostderr=false + - --log_dir=/var/log/interworking/mp-adapter + - --alsologtostderr + - --log_file_max_size=5 + - --log_file_max_num=2 + - --v=4 + image: antrea-interworking/interworking-photon:0.7.1 + imagePullPolicy: IfNotPresent + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: mp-adapter + livenessProbe: + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + initialDelaySeconds: 90 + timeoutSeconds: 15 + periodSeconds: 60 + failureThreshold: 3 + ports: + - name: api + containerPort: 16664 + protocol: TCP + volumeMounts: + - mountPath: /etc/antrea + name: projected-configs + readOnly: true + - mountPath: /var/run/vmware + name: var-run-vmware + readOnly: true + - mountPath: /var/run/antrea-interworking + name: host-var-run-antrea-interworking + - mountPath: /var/log/interworking + name: host-var-log-interworking + - mountPath: /etc/vmware/nsx + name: etc-vmware-nsx + resources: + limits: + memory: "4096Mi" + requests: + memory: "256Mi" + - name: tn-proxy + command: + - /usr/local/bin/election-watcher + args: + - --cmd=tn-proxy-init.sh + - --logtostderr=false + - --log_dir=/var/log/interworking/tn-proxy + - --alsologtostderr + - --log_file_max_size=25 + - --log_file_max_num=4 + - --logChild=true + image: antrea-interworking/interworking-photon:0.7.1 + imagePullPolicy: IfNotPresent + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: CONTAINER_NAME + value: tn-proxy + volumeMounts: + - mountPath: /var/run/vmware + name: var-run-vmware + - mountPath: /etc/vmware/nsx + name: etc-vmware-nsx + - mountPath: /var/run/antrea-interworking + name: host-var-run-antrea-interworking + - mountPath: /etc/antrea + name: projected-configs + readOnly: true + - mountPath: /var/log/interworking + name: host-var-log-interworking + - name: ccp-adapter + command: + - /usr/local/bin/election-watcher + args: + - --cmd=ccp-adapter + - --args=--config,/etc/antrea/ccp-adapter.conf,--cluster-id-config,/etc/antrea/cluster-id.conf,--logtostderr=false,--log_dir=/var/log/interworking/ccp-adapter,--alsologtostderr,--log_file_max_size=25,--log_file_max_num=4,--v=4 + - --logtostderr=false + - --log_dir=/var/log/interworking/ccp-adapter + - --alsologtostderr + - --log_file_max_size=5 + - --log_file_max_num=2 + - --v=4 + image: antrea-interworking/interworking-photon:0.7.1 + imagePullPolicy: IfNotPresent + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: CONTAINER_NAME + value: ccp-adapter + volumeMounts: + - mountPath: /var/run/vmware + name: var-run-vmware + - mountPath: /var/lib/vmware + name: var-lib-vmware + - mountPath: /var/run/antrea-interworking + name: host-var-run-antrea-interworking + - mountPath: /etc/antrea + name: projected-configs + readOnly: true + - mountPath: /var/log/interworking + name: host-var-log-interworking + resources: + limits: + memory: "4096Mi" + requests: + memory: "256Mi" + livenessProbe: + httpGet: + host: localhost + path: /livez + port: api + scheme: HTTPS + timeoutSeconds: 15 + periodSeconds: 60 + failureThreshold: 3 + ports: + - name: api + containerPort: 16665 + protocol: TCP + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + serviceAccountName: interworking + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + volumes: + - hostPath: + path: /var/run/antrea-interworking + type: DirectoryOrCreate + name: host-var-run-antrea-interworking + - hostPath: + path: /var/log/interworking + type: DirectoryOrCreate + name: host-var-log-interworking + - name: projected-configs + projected: + sources: + - configMap: + name: antrea-interworking-config + items: + - key: mp-adapter.conf + path: mp-adapter.conf + - key: ccp-adapter.conf + path: ccp-adapter.conf + - configMap: + name: bootstrap-config + items: + - key: bootstrap.conf + path: bootstrap.conf + - configMap: + name: cluster-id + items: + - key: cluster-id.conf + path: cluster-id.conf + optional: true + - secret: + name: nsx-cert + items: + - key: tls.crt + path: nsx-cert/tls.crt + - key: tls.key + path: nsx-cert/tls.key + - name: etc-vmware-nsx + emptyDir: { } + - name: var-run-vmware + emptyDir: { } + - name: var-lib-vmware + emptyDir: { } diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/values.star b/addons/packages/antrea/1.7.1-p1/bundle/config/values.star new file mode 100644 index 00000000000..6646f4a7631 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/values.star @@ -0,0 +1,12 @@ +load("@ytt:data", "data") +load("@ytt:assert", "assert") + +def validate_antrea(): + data.values.infraProvider or assert.fail("Infrastructure provider should be provided") +end + +# export data.values +values = data.values + +# validate antrea configuration +validate_antrea() diff --git a/addons/packages/antrea/1.7.1-p1/bundle/config/values.yaml b/addons/packages/antrea/1.7.1-p1/bundle/config/values.yaml new file mode 100644 index 00000000000..039f84e53f0 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/config/values.yaml @@ -0,0 +1,110 @@ +#@data/values +#@overlay/match-child-defaults missing_ok=True + +--- +infraProvider: vsphere +nodeSelector: null +deployment: + updateStrategy: null + rollingUpdate: + maxUnavailable: null + maxSurge: null +daemonset: + updateStrategy: null + +antrea: + config: + egress: + exceptCIDRs: [ ] + nodePortLocal: + enabled: true + portRange: 61000-62000 + antreaProxy: + proxyAll: false + nodePortAddresses: [ ] + skipServices: [ ] + proxyLoadBalancerIPs: false + flowExporter: + collectorAddress: "flow-aggregator.flow-aggregator.svc:4739:tls" + pollInterval: "5s" + activeFlowTimeout: "30s" + idleFlowTimeout: "15s" + kubeAPIServerOverride: null + transportInterface: null + transportInterfaceCIDRs: [ ] + tunnelType: geneve + trafficEncryptionMode: none + wireGuard: + port: 51820 + serviceCIDR: 10.96.0.0/12 + serviceCIDRv6: null + enableUsageReporting: false + trafficEncapMode: encap + noSNAT: false + disableUdpTunnelOffload: false + #! Setting defaultMTU to null since antrea-agent will discover the MTU of the Node's primary interface and + #! also adjust MTU to accommodate for tunnel encapsulation overhead. + defaultMTU: null + tlsCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384 + enableBridgingMode: false + disableTXChecksumOffload: false + dnsServerOverride: null + multicastInterfaces: [ ] + multicast: + igmpQueryInterval: "125s" + multicluster: + enable: false + namespace: null + featureGates: + AntreaProxy: true + EndpointSlice: false + AntreaTraceflow: true + NodePortLocal: true + AntreaPolicy: true + FlowExporter: false + NetworkPolicyStats: false + Egress: true + AntreaIPAM: false + ServiceExternalIP: false + Multicast: false + Multicluster: false + SecondaryNetwork: false + TrafficControl: false + +antrea_nsx: + enable: false + +antrea_interworking: + config: + nsxCert: ZHVtbXlBZG1pbg== + nsxKey: ZHVtbXlQYXNzd29yZA== + nsxUser: ZHVtbXlBZG1pbg== + nsxPassword: ZHVtbXlQYXNzd29yZA== + clusterName: dummyClusterName + NSXManagers: [] + vpcPath: "" + mp_adapter_conf: + NSXClientTimeout: 120 + InventoryBatchSize: 50 + InventoryBatchPeriod: 5 + EnableDebugServer: false + APIServerPort: 16664 + DebugServerPort: 16666 + NSXRPCDebug: false + ConditionTimeout: 150 + ccp_adapter_conf: + EnableDebugServer: false + APIServerPort: 16665 + DebugServerPort: 16667 + NSXRPCDebug: false + #! Time to wait for realization + RealizeTimeoutSeconds: 60 + #! An interval for regularly report latest realization error in background + RealizeErrorSyncIntervalSeconds: 600 + ReconcilerWorkerCount: 8 + #! Average QPS = ReconcilerWorkerCount * ReconcilerQPS + ReconcilerQPS: 5.0 + #! Peak QPS = ReconcilerWorkerCount * ReconcilerBurst + ReconcilerBurst: 10 + #! 24 Hours + ReconcilerResyncSeconds: 86400 diff --git a/addons/packages/antrea/1.7.1-p1/bundle/vendir.lock.yml b/addons/packages/antrea/1.7.1-p1/bundle/vendir.lock.yml new file mode 100644 index 00000000000..a3ef7e2ad2f --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/vendir.lock.yml @@ -0,0 +1,7 @@ +apiVersion: vendir.k14s.io/v1alpha1 +directories: +- contents: + - manual: {} + path: antrea.yaml + path: config/upstream +kind: LockConfig diff --git a/addons/packages/antrea/1.7.1-p1/bundle/vendir.yml b/addons/packages/antrea/1.7.1-p1/bundle/vendir.yml new file mode 100644 index 00000000000..e2a2d842e4b --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/bundle/vendir.yml @@ -0,0 +1,12 @@ +apiVersion: vendir.k14s.io/v1alpha1 +kind: Config +minimumRequiredVersion: 0.12.0 +directories: + - path: config/upstream + contents: + - path: antrea.yaml + manual: {} + - path: interworking.yaml + manual: {} + - path: bootstrap.yaml + manual: {} diff --git a/addons/packages/antrea/1.7.1-p1/package.yaml b/addons/packages/antrea/1.7.1-p1/package.yaml new file mode 100644 index 00000000000..c05fab89e01 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/package.yaml @@ -0,0 +1,479 @@ +apiVersion: data.packaging.carvel.dev/v1alpha1 +kind: Package +metadata: + name: antrea.tanzu.vmware.com.1.7.1+tkg.2-zshippable + namespace: vmware-system-tkg +spec: + refName: antrea.tanzu.vmware.com + version: 1.7.1+tkg.2-zshippable + releaseNotes: antrea 1.7.1 https://github.com/antrea-io/antrea/releases/tag/v1.7.1 + licenses: + - Apache 2.0 + template: + spec: + syncPeriod: 5m + fetch: + - imgpkgBundle: + image: nsx-ujo-docker-local.artifactory.eng.vmware.com/antrea/antrea-tkg:v3.7.1 + template: + - ytt: + paths: + - config/ + - kbld: + paths: + - '-' + - .imgpkg/images.yml + deploy: + - kapp: + rawOptions: + - --wait-timeout=300s + valuesSchema: + openAPIv3: + type: object + additionalProperties: false + description: OpenAPIv3 Schema for antrea + properties: + infraProvider: + type: string + description: The cloud provider in use. One of the following options => aws, azure, vsphere, docker + default: vsphere + nodeSelector: + nullable: true + description: NodeSelector configuration applied to all the deployments + default: null + deployment: + type: object + additionalProperties: false + properties: + updateStrategy: + type: string + nullable: true + description: Update strategy of deployments + default: null + rollingUpdate: + type: object + additionalProperties: false + properties: + maxUnavailable: + type: integer + nullable: true + description: The maxUnavailable of rollingUpdate. Applied only if RollingUpdate is used as updateStrategy + default: null + maxSurge: + type: integer + nullable: true + description: The maxSurge of rollingUpdate. Applied only if RollingUpdate is used as updateStrategy + default: null + daemonset: + type: object + additionalProperties: false + properties: + updateStrategy: + type: string + nullable: true + description: Update strategy of daemonsets + default: null + antrea: + type: object + additionalProperties: false + properties: + config: + type: object + additionalProperties: false + description: Configuration for antrea + properties: + egress: + type: object + additionalProperties: false + description: Control SNAT IPs of Pod egress traffic. + properties: + exceptCIDRs: + type: array + description: The CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + items: + type: string + default: "" + default: [] + nodePortLocal: + type: object + additionalProperties: false + properties: + enabled: + type: boolean + description: Enable NodePortLocal feature. + default: false + portRange: + type: string + description: Provide the port range used by NodePortLocal. + default: "" + antreaProxy: + type: object + additionalProperties: false + description: AntreaProxy related configuration options. + properties: + proxyAll: + type: boolean + description: ProxyAll tells antrea-agent to proxy all Service traffic. + default: false + nodePortAddresses: + type: array + description: Specifies the host IPv4/IPv6 addresses for NodePort. + items: + type: string + default: "" + default: [] + skipServices: + type: array + description: List of Services which should be ignored by AntreaProxy. + items: + type: string + default: "" + default: [] + proxyLoadBalancerIPs: + type: boolean + description: Load-balance traffic destined to the External IPs of LoadBalancer services. + default: false + flowExporter: + type: object + additionalProperties: false + description: FlowExporter related configuration options. + properties: + collectorAddress: + type: string + description: Provide the IPFIX collector address as a string. + default: "" + pollInterval: + type: string + description: Provide flow poll interval as a duration string. + default: "" + activeFlowTimeout: + type: string + description: Provide the active flow export timeout. + default: "" + idleFlowTimeout: + type: string + description: Provide the idle flow export timeout. + default: "" + kubeAPIServerOverride: + type: string + nullable: true + description: Provide the address of Kubernetes apiserver. + default: null + transportInterface: + type: string + nullable: true + description: The name of the interface on Node which is used for tunneling or routing the traffic. + default: null + transportInterfaceCIDRs: + type: array + description: The network CIDRs of the interface on Node which is used for tunneling or routing the traffic. + items: + type: string + default: "" + default: [] + tunnelType: + type: string + description: Tunnel protocols used for encapsulating traffic across Nodes. One of the following options => geneve, vxlan, gre, stt + default: none + trafficEncryptionMode: + type: string + description: Determines how tunnel traffic is encrypted. One of the following options => none, ipsec, wireGuard + default: none + wireGuard: + type: object + additionalProperties: false + description: WireGuard related configurations. + properties: + port: + type: integer + description: The port for WireGuard to receive traffic. + default: 51820 + enableUsageReporting: + type: boolean + description: Enable usage reporting (telemetry) to VMware. + default: false + serviceCIDR: + type: string + nullable: true + description: ClusterIP CIDR range for IPv4 Services + default: null + serviceCIDRv6: + type: string + nullable: true + description: ClusterIP CIDR range for IPv6 Services + default: null + trafficEncapMode: + type: string + description: The traffic encapsulation mode. One of the following options => encap, noEncap, hybrid, networkPolicyOnly + default: encap + noSNAT: + type: boolean + description: Flag to enable/disable SNAT for the egress traffic from a Pod to the external network + default: false + disableUdpTunnelOffload: + type: boolean + description: Disable UDP tunnel offload feature on default NIC + default: false + defaultMTU: + type: string + nullable: true + description: Default MTU to use for the host gateway interface and the network interface of each Pod + default: null + tlsCipherSuites: + type: string + description: List of allowed cipher suites. If omitted, the default Go Cipher Suites will be used + default: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384 + enableBridgingMode: + type: boolean + description: Enable bridging mode of Pod network on Nodes. + default: false + disableTXChecksumOffload: + type: boolean + description: Disable TX checksum offloading for container network interfaces + default: false + dnsServerOverride: + type: string + nullable: true + description: Provide the address of DNS server, to override the kube-dns service + default: null + multicastInterfaces: + type: array + description: The names of the interfaces on Nodes that are used to forward multicast traffic. + items: + type: string + default: "" + default: [] + multicast: + type: object + additionalProperties: false + description: Multicast related configuration options + properties: + igmpQueryInterval: + type: string + description: The interval at which the antrea-agent sends IGMP queries to Pods. + default: 125s + multicluster: + type: object + additionalProperties: false + description: Multicluster related configurations + properties: + enable: + type: boolean + description: Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + default: false + namespace: + type: string + nullable: true + description: The Namespace where Antrea Multi-cluster Controller is running.Default is antrea-agent's Namespace + default: null + featureGates: + type: object + additionalProperties: false + description: FeatureGates is a map of feature names to flags that enable or disable experimental features + properties: + AntreaProxy: + type: boolean + description: Flag to enable/disable antrea proxy + default: true + EndpointSlice: + type: boolean + description: Flag to enable/disable EndpointSlice support in AntreaProxy. If AntreaProxy is not enabled, this flag will not take effect + default: false + AntreaTraceflow: + type: boolean + description: Flag to enable/disable antrea traceflow + default: true + NodePortLocal: + type: boolean + description: Flag to enable/disable NodePortLocal feature to make the pods reachable externally through NodePort + default: true + AntreaPolicy: + type: boolean + description: Flag to enable/disable antrea policy + default: true + FlowExporter: + type: boolean + description: Flag to enable/disable flow exporter + default: false + NetworkPolicyStats: + type: boolean + description: Flag to enable/disable network policy stats + default: false + Egress: + type: boolean + description: Flag to enable/disable SNAT IPs of Pod egress traffic + default: true + AntreaIPAM: + type: boolean + description: Flag to enable/disable flexible IPAM mode + default: false + ServiceExternalIP: + type: boolean + description: Flag to enable/disable managing external IPs for Load balancers services + default: false + Multicast: + type: boolean + description: Flag to enable/disable multicast traffic + default: false + Multicluster: + type: boolean + description: Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.This feature is supported only with encap mode. + default: false + SecondaryNetwork: + type: boolean + description: Enable support for provisioning secondary network interfaces for Pods (using Pod annotations). + default: false + TrafficControl: + type: boolean + description: Enable mirroring or redirecting the traffic Pods send or receive. + default: false + antrea_nsx: + type: object + additionalProperties: false + properties: + enable: + type: boolean + default: false + antrea_interworking: + type: object + additionalProperties: false + properties: + config: + type: object + additionalProperties: false + description: Configuration for antrea-interworking + properties: + nsxUser: + type: string + description: echo -n 'dummyAdmin' | base64 + default: ZHVtbXlBZG1pbg== + nsxPassword: + type: string + description: ' echo -n ''dummyPassword'' | base64' + default: ZHVtbXlQYXNzd29yZA== + nsxCert: + type: string + description: base64 encoded data + default: ZHVtbXlBZG1pbg== + nsxKey: + type: string + description: base64 encoded data + default: ZHVtbXlQYXNzd29yZA== + clusterName: + type: string + description: ' ' + default: dummyClusterName + NSXManagers: + type: array + description: ' ' + items: + type: string + default: dummyNSXIP1 + default: [] + vpcPath: + type: string + description: ' ' + default: dummyVPCPath + mp_adapter_conf: + type: object + additionalProperties: false + description: ' ' + properties: + NSXClientTimeout: + type: integer + description: ' ' + default: 120 + InventoryBatchSize: + type: integer + description: ' ' + default: 50 + InventoryBatchPeriod: + type: integer + description: ' ' + default: 5 + EnableDebugServer: + type: boolean + description: ' ' + default: false + APIServerPort: + type: integer + description: ' ' + default: 16664 + DebugServerPort: + type: integer + description: ' ' + default: 16666 + NSXRPCDebug: + type: boolean + description: ' ' + default: false + ConditionTimeout: + type: integer + description: '#in second' + default: 150 + ccp_adapter_conf: + type: object + additionalProperties: false + description: ' ' + properties: + EnableDebugServer: + type: boolean + description: ' ' + default: false + APIServerPort: + type: integer + description: ' ' + default: 16665 + DebugServerPort: + type: integer + description: ' ' + default: 16667 + NSXRPCDebug: + type: boolean + description: ' ' + default: false + RealizeTimeoutSeconds: + type: integer + description: '# Time to wait for realization' + default: 60 + RealizeErrorSyncIntervalSeconds: + type: integer + description: '# An interval for regularly report latest realization error in background' + default: 600 + ReconcilerWorkerCount: + type: integer + description: ' ' + default: 8 + ReconcilerQPS: + type: number + format: float + description: '# Average QPS = ReconcilerWorkerCount * ReconcilerQPS' + default: 5 + ReconcilerBurst: + type: integer + description: '# Peak QPS = ReconcilerWorkerCount * ReconcilerBurst' + default: 10 + ReconcilerResyncSeconds: + type: integer + description: '# 24 Hours' + default: 86400 + image: + type: object + additionalProperties: false + properties: + repository: + type: string + description: The repository of antrea image + default: "" + path: + type: string + description: The path of image + default: "" + tag: + type: string + description: The image tag + default: "" + pullPolicy: + type: string + description: The pull policy of image + default: IfNotPresent diff --git a/addons/packages/antrea/1.7.1-p1/test/Makefile b/addons/packages/antrea/1.7.1-p1/test/Makefile new file mode 100644 index 00000000000..c8ee2e73791 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/test/Makefile @@ -0,0 +1,28 @@ +# Copyright 2022 VMware Tanzu Community Edition contributors. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +.DEFAULT_GOAL:=help + +help: ## Display this help message + # Inspired by Cluster-API Makefile + # Any target that has '## ' append to it will be included in the help message + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[0-9A-Za-z_-]+:.*?##/ { printf " \033[36m%-45s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +lint: ## Run Go code linting +ifeq ($(origin GOLANGCI_LINT),undefined) + @echo "Error! GOLANGCI_LINT env var not set" +else + $(GOLANGCI_LINT) run -v --timeout=5m +endif + +get-deps: ## Get all dependencies + go mod download + +test: ## Run unit testing suite + CGO_ENABLED=0 go run github.com/onsi/ginkgo/ginkgo -v . + +e2e-test: ## Run e2e testing suite + CGO_ENABLED=0 go run github.com/onsi/ginkgo/ginkgo -v e2e + +build: ## Build the executable + @echo "TODO: implement building" diff --git a/addons/packages/antrea/1.7.1-p1/test/README.md b/addons/packages/antrea/1.7.1-p1/test/README.md new file mode 100644 index 00000000000..ad5bf903107 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/test/README.md @@ -0,0 +1,32 @@ +# Antrea tests + +## Unit Tests + +The unit tests for Antrea test manifest generation of the package given some set +of data values. + +### Prerequisites + +To run the unit tests you need: + +* [ginkgo](https://onsi.github.io/ginkgo/) +* [ytt](https://carvel.dev/ytt/) + +### Run Tests + +To run the unit tests you can run from this directory: + +```bash +make test +``` + +## Development + +The tests have its own Go module. Most tooling for Golang projects (e.g gopls) +require you to be within the directory of the `go.mod` file. It is recommended +that you are in this subdirectory when you are working on this module. + +There is also a shared testing library for packages +[../../test/pkg](../../test/pkg), located outside of this module and it is +required by this module using a replace directive For Golang tooling to work in +this module you need to be in that subdirectory. diff --git a/addons/packages/antrea/1.7.1-p1/test/antrea_suite_test.go b/addons/packages/antrea/1.7.1-p1/test/antrea_suite_test.go new file mode 100644 index 00000000000..f16c52c37bb --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/test/antrea_suite_test.go @@ -0,0 +1,86 @@ +// Copyright 2022 VMware Tanzu Community Edition contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package antrea_test + +import ( + "testing" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +type AntreaConfig struct { + InfraProvider string `yaml:"infraProvider"` + Antrea struct { + Config struct { + ServiceCIDR string `yaml:"serviceCIDR"` + ServiceCIDRv6 string `yaml:"serviceCIDRv6"` + TunnelType string `yaml:"tunnelType"` + TrafficEncryptionMode string `yaml:"trafficEncryptionMode"` + WireGuard struct { + Port int `yaml:"port,omitempty"` + } `yaml:"wireGuard"` + TrafficEncapMode string `yaml:"trafficEncapMode"` + NoSNAT bool `yaml:"noSNAT"` + DisableUDPTunnelOffload bool `yaml:"disableUdpTunnelOffload"` + DefaultMTU string `yaml:"defaultMTU"` + TLSCipherSuites string `yaml:"tlsCipherSuites"` + FeatureGates struct { + AntreaProxy bool `yaml:"AntreaProxy"` + EndpointSlice bool `yaml:"EndpointSlice"` + AntreaTraceflow bool `yaml:"AntreaTraceflow"` + NodePortLocal bool `yaml:"NodePortLocal"` + AntreaPolicy bool `yaml:"AntreaPolicy"` + FlowExporter bool `yaml:"FlowExporter"` + NetworkPolicyStats bool `yaml:"NetworkPolicyStats"` + Egress bool `yaml:"Egress"` + AntreaIPAM bool `yaml:"AntreaIPAM"` + ServiceExternalIP bool `yaml:"ServiceExternalIP"` + Multicast bool `yaml:"Multicast"` + Multicluster bool `yaml:"Multicluster"` + SecondaryNetwork bool `yaml:"SecondaryNetwork"` + TrafficControl bool `yaml:"TrafficControl"` + } `yaml:"featureGates"` + NodePortLocal struct { + Enabled bool `yaml:"enabled"` + PortRange string `yaml:"portRange"` + } `yaml:"nodePortLocal"` + FlowExporter struct { + CollectorAddress string `yaml:"collectorAddress"` + PollInterval string `yaml:"pollInterval"` + ActiveFlowTimeout string `yaml:"activeFlowTimeout"` + IdleFlowTimeout string `yaml:"idleFlowTimeout"` + } `yaml:"flowExporter"` + MultiCluster struct { + Enable bool `yaml:"enable"` + Namespace string `yaml:"namespace"` + } `yaml:"multicluster"` + Multicast struct { + IGMPQueryInterval string `yaml:"igmpQueryInterval"` + } `yaml:"multicast"` + KubeAPIServerOverride string `yaml:"kubeAPIServerOverride,omitempty"` + TransportInterface string `yaml:"transportInterface,omitempty"` + TransportInterfaceCIDRs []string `yaml:"transportInterfaceCIDRs,omitempty"` + MulticastInterfaces []string `yaml:"multicastInterfaces,omitempty"` + EnableUsageReporting bool `yaml:"enableUsageReporting"` + EnableBridgingMode bool `yaml:"enableBridgingMode"` + DisableTXChecksumOffload bool `yaml:"disableTXChecksumOffload"` + DNSServerOverride string `yaml:"dnsServerOverride"` + AntreaProxy struct { + ProxyAll bool `yaml:"proxyAll"` + NodePortAddresses []string `yaml:"nodePortAddresses"` + SkipServices []string `yaml:"skipServices"` + ProxyLoadBalancerIPS bool `yaml:"proxyLoadBalancerIPs"` + } `yaml:"antreaProxy"` + Egress struct { + ExceptCIDRs []string `yaml:"exceptCIDRs"` + } `yaml:"egress"` + } `yaml:"config"` + } `yaml:"antrea"` +} + +func TestAntrea(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Antrea Addons Templates Suite") +} diff --git a/addons/packages/antrea/1.7.1-p1/test/antrea_test.go b/addons/packages/antrea/1.7.1-p1/test/antrea_test.go new file mode 100644 index 00000000000..46120ef7d32 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/test/antrea_test.go @@ -0,0 +1,550 @@ +// Copyright 2022 VMware Tanzu Community Edition contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package antrea_test + +import ( + "fmt" + "os" + "path/filepath" + "strings" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + goyaml "gopkg.in/yaml.v3" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + "sigs.k8s.io/yaml" + + "github.com/vmware-tanzu/community-edition/addons/packages/test/pkg/repo" + "github.com/vmware-tanzu/community-edition/addons/packages/test/pkg/ytt" +) + +const portRange = "60000-61000" +const ipsecMode = "ipsec" + +var ( + configName = "antrea-config" + configTweaker = "antrea-agent-tweaker" + + // data header overwritten + dataHeader = `#@data/values +#@overlay/match-child-defaults missing_ok=True +---` +) + +var _ = Describe("Antrea YTT Templates", func() { + var ( + filePaths []string + values string + output string + err error + + configDir = filepath.Join(repo.RootDir(), "addons/packages/antrea/1.7.1/bundle/config") + fileAntreaYaml = filepath.Join(configDir, "upstream/antrea.yaml") + fileAntreaOverlayYaml = filepath.Join(configDir, "overlay/antrea-overlay.yaml") + fileAntreaStrategyOverlayYaml = filepath.Join(configDir, "overlay/update-strategy-overlay.yaml") + fileValuesSchema = filepath.Join(configDir, "schema.yaml") + fileValuesYaml = filepath.Join(configDir, "values.yaml") + fileValuesStar = filepath.Join(configDir, "values.star") + ) + + BeforeEach(func() { + values = "" + }) + + JustBeforeEach(func() { + filePaths = []string{fileValuesSchema, fileAntreaYaml, fileAntreaOverlayYaml, fileAntreaStrategyOverlayYaml, fileValuesYaml, fileValuesStar} + output, err = ytt.RenderYTTTemplate(ytt.CommandOptions{}, filePaths, strings.NewReader(values)) + }) + + Context("antrea components with default configuration", func() { + It("renders multiple configMap with a default IPAM configuration", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + Expect(configMap.Data["antrea-agent.conf"]).To(MatchYAML(`--- +antreaProxy: + nodePortAddresses: [] + proxyAll: false + proxyLoadBalancerIPs: false + skipServices: [] +egress: + exceptCIDRs: [] +featureGates: + AntreaIPAM: false + AntreaPolicy: true + AntreaProxy: true + Egress: true + EndpointSlice: false + FlowExporter: false + Multicast: false + NetworkPolicyStats: false + NodePortLocal: true + ServiceExternalIP: false + Traceflow: true + Multicluster: false + SecondaryNetwork: false + TrafficControl: false +multicast: {} +multicluster: {} +enableBridgingMode: false +disableTXChecksumOffload: false +noSNAT: false +nodePortLocal: + enable: true + portRange: 61000-62000 +serviceCIDR: 10.96.0.0/12 +tlsCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384 +trafficEncapMode: encap +trafficEncryptionMode: none +tunnelType: geneve +wireGuard: + port: 51820 +`)) + + Expect(configMap.Data["antrea-controller.conf"]).To(MatchYAML(`--- +featureGates: + AntreaIPAM: false + AntreaPolicy: true + Egress: true + NetworkPolicyStats: false + ServiceExternalIP: false + Traceflow: true + Multicast: false +nodeIPAM: null +tlsCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384 +`)) + }) + }) + + Context("antrea-agent with serviceCIDRv6 configuration", func() { + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.ServiceCIDRv6 = "[fe80::1]/64" + }) + Expect(err).NotTo(HaveOccurred()) + }) + It("renders a ConfigMap with IPv6 IPAM configuration", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring(`serviceCIDRv6: '[fe80::1]/64'`)) + }) + }) + + Context("antrea-agent-tweaker with default configuration", func() { + It("render disabled UDP tunnel offload feature", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configTweaker) + Expect(configMap).NotTo(BeNil()) + Expect(configMap.Data["antrea-agent-tweaker.conf"]).To(ContainSubstring("disableUdpTunnelOffload: false")) + }) + }) + + Context("antrea-agent-tweaker with enabled UDP tunnel configuration", func() { + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.DisableUDPTunnelOffload = true + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("render enabled UDP tunnel offload feature", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configTweaker) + Expect(configMap).NotTo(BeNil()) + Expect(configMap.Data["antrea-agent-tweaker.conf"]).To(ContainSubstring("disableUdpTunnelOffload: true")) + }) + }) + + Context("antrea configuration has wrong fields", func() { + BeforeEach(func() { + values = `#@data/values + --- + antrea: + config: + invalid: "option"` + }) + + It("fails to generate manifests", func() { + Expect(err).To(HaveOccurred()) + }) + }) + + Describe("Configuring Egress", func() { + Context("without feature gate", func() { + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.Egress = false + config.Antrea.Config.Egress.ExceptCIDRs = []string{"10.0.0.0/16"} + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("ignores the configuration", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring("Egress: false")) + Expect(configMap.Data["antrea-agent.conf"]).ToNot(ContainSubstring("exceptCIDR")) + }) + }) + + Context("with the feature gate enabled", func() { + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.Egress = true + config.Antrea.Config.Egress.ExceptCIDRs = []string{"10.0.0.0/16"} + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("settings are configured", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + for _, s := range []string{"Egress: true", "10.0.0.0/16"} { + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring(s)) + } + }) + }) + }) + + Describe("Configuring Multicast", func() { + Context("without feature gate", func() { + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.Multicast = false + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("ignores the configuration", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring("Multicast: false")) + Expect(configMap.Data["antrea-agent.conf"]).ToNot(ContainSubstring("igmpQueryInterval")) + Expect(configMap.Data["antrea-agent.conf"]).ToNot(ContainSubstring("multicastInterfaces")) + }) + }) + + Context("with the feature gate enabled", func() { + interval := "130s" + interfaces := []string{"eth0"} + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.Multicast = true + config.Antrea.Config.Multicast.IGMPQueryInterval = interval + config.Antrea.Config.MulticastInterfaces = interfaces + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("settings are configured", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + + for _, s := range []string{"Multicast: true", interval, interfaces[0]} { + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring(s)) + } + }) + }) + }) + + Describe("Configuring Multicluster", func() { + Context("with the feature gate enabled", func() { + ns := "kube-system" + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.Multicluster = true + config.Antrea.Config.MultiCluster.Enable = true + config.Antrea.Config.MultiCluster.Namespace = ns + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("settings are configured", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + + for _, s := range []string{"Multicluster: true", ns} { + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring(s)) + } + }) + }) + }) + + Describe("Configuring NodePortLocal", func() { + Context("without feature gate", func() { + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.NodePortLocal = false + config.Antrea.Config.NodePortLocal.Enabled = true + config.Antrea.Config.NodePortLocal.PortRange = portRange + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("ignores the configuration", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring("NodePortLocal: false")) + Expect(configMap.Data["antrea-agent.conf"]).ToNot(ContainSubstring("portRange")) + }) + }) + + Context("with the feature gate enabled", func() { + portRange := "60000-61000" + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.NodePortLocal = true + config.Antrea.Config.NodePortLocal.PortRange = portRange + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("settings are configured", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + + for _, s := range []string{"NodePortLocal: true", portRange} { + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring(s)) + } + }) + }) + }) + + Describe("Configuring AntreaProxy", func() { + Context("without feature gate", func() { + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.AntreaProxy = false + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("ignores the configuration", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring("AntreaProxy: false")) + for _, s := range []string{"proxyAll", "nodePortAddresses", "skipServices", "proxyLoadBalancersIPs"} { + Expect(configMap.Data["antrea-agent.conf"]).ToNot(ContainSubstring(s)) + } + }) + }) + + Context("with the feature gate enabled", func() { + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.AntreaProxy = true + config.Antrea.Config.AntreaProxy.ProxyAll = true + config.Antrea.Config.AntreaProxy.NodePortAddresses = []string{"10.0.0.0/24"} + config.Antrea.Config.AntreaProxy.ProxyLoadBalancerIPS = true + config.Antrea.Config.AntreaProxy.SkipServices = []string{"kube-system/kube-dns"} + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("settings are configured", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + + for _, s := range []string{"AntreaProxy: true", "nodePortAddresses", "skipServices", "proxyLoadBalancerIPs: true"} { + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring(s)) + } + }) + }) + }) + + Describe("Configuring FlowExporter", func() { + Context("with the feature gate enabled", func() { + seconds := "10s" + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.FeatureGates.FlowExporter = true + config.Antrea.Config.FlowExporter.CollectorAddress = "0.0.0.0" + config.Antrea.Config.FlowExporter.PollInterval = seconds + config.Antrea.Config.FlowExporter.ActiveFlowTimeout = seconds + config.Antrea.Config.FlowExporter.IdleFlowTimeout = seconds + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("settings are configured", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + for _, s := range []string{"flowPollInterval: " + seconds, "flowCollectorAddr: 0.0.0.0", "idleFlowExportTimeout: " + seconds, "activeFlowExportTimeout: " + seconds} { + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring(s)) + } + }) + }) + }) + + Describe("Changing root settings", func() { + Context("should be allowed", func() { + BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaConfig) { + config.Antrea.Config.TransportInterface = "eth0" + config.Antrea.Config.TransportInterfaceCIDRs = []string{"10.0.0.0/24"} + config.Antrea.Config.MulticastInterfaces = []string{"eth0"} + config.Antrea.Config.WireGuard.Port = 51821 + config.Antrea.Config.KubeAPIServerOverride = "10.0.0.1" + config.Antrea.Config.EnableUsageReporting = true + config.Antrea.Config.TunnelType = "vxlan" + config.Antrea.Config.TrafficEncryptionMode = ipsecMode + config.Antrea.Config.FeatureGates.Multicast = true + config.Antrea.Config.DNSServerOverride = "localhost" + config.Antrea.Config.EnableBridgingMode = true + config.Antrea.Config.DisableTXChecksumOffload = true + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It("and args must be rendered", func() { + Expect(err).NotTo(HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), configName) + Expect(configMap).NotTo(BeNil()) + for _, s := range []string{ + "transportInterface: eth0", + "multicastInterfaces", + "transportInterfaceCIDRs", + "port: 51821", + "kubeAPIServerOverride: 10.0.0.1", + "tunnelType: vxlan", + "trafficEncryptionMode: ipsec", + "dnsServerOverride: localhost", + "enableBridgingMode", + "disableTXChecksumOffload", + } { + Expect(configMap.Data["antrea-agent.conf"]).To(ContainSubstring(s)) + } + Expect(configMap.Data["antrea-controller.conf"]).To(ContainSubstring("enableUsageReporting")) + }) + }) + }) + + Context("configures nodeSelector and updateStrategy", func() { + BeforeEach(func() { + values = `#@data/values +--- +nodeSelector: + tanzuKubernetesRelease: 1.22.3 +deployment: + updateStrategy: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 +daemonset: + updateStrategy: OnDelete +` + }) + + It("renders the DaemonSet and Deployment with desired nodeSelector and updateStrategy", func() { + Expect(err).NotTo(HaveOccurred()) + daemonSet := parseDaemonSet(output) + deployment := parseDeployment(output) + Expect(deployment.Spec.Template.Spec.NodeSelector).ToNot(BeNil()) + Expect(deployment.Spec.Template.Spec.NodeSelector["tanzuKubernetesRelease"]).To(Equal("1.22.3")) + Expect(deployment.Spec.Strategy.Type).To(Equal(appsv1.RollingUpdateDeploymentStrategyType)) + Expect(deployment.Spec.Strategy.RollingUpdate).ToNot(BeNil()) + Expect(deployment.Spec.Strategy.RollingUpdate.MaxUnavailable.IntVal).To(Equal(int32(0))) + Expect(deployment.Spec.Strategy.RollingUpdate.MaxSurge.IntVal).To(Equal(int32(1))) + Expect(daemonSet.Spec.UpdateStrategy.Type).To(Equal(appsv1.OnDeleteDaemonSetStrategyType)) + }) + }) + +}) + +func marshalAntreaConfig(valuesFile string, settingFunc func(config *AntreaConfig)) (string, error) { + var ( + err error + config *AntreaConfig + ) + if config, err = loadAntreaConfig(valuesFile); err != nil { + return "", err + } + + // Overwrite values in the config pointer + settingFunc(config) + + content, err := goyaml.Marshal(config) + if err != nil { + return "", err + } + return fmt.Sprintf("%s\n%s", dataHeader, content), nil +} + +// loadAntreaConfig unmarshal the configuration file into AntreaConfig +func loadAntreaConfig(configFile string) (*AntreaConfig, error) { + var ( + err error + content []byte + config = AntreaConfig{} + ) + + if content, err = os.ReadFile(configFile); err != nil { + return nil, err + } + if err := goyaml.Unmarshal(content, &config); err != nil { + return nil, err + } + return &config, nil +} + +func findConfigMapByName(cms []corev1.ConfigMap, name string) *corev1.ConfigMap { + for _, cm := range cms { + if cm.Name == name { + return &cm + } + } + return nil +} + +func unmarshalConfigMaps(output string) []corev1.ConfigMap { + docs := findDocsWithString(output, "kind: ConfigMap") + cms := make([]corev1.ConfigMap, len(docs)) + for i, doc := range docs { + var cm corev1.ConfigMap + err := yaml.Unmarshal([]byte(doc), &cm) + Expect(err).NotTo(HaveOccurred()) + cms[i] = cm + } + return cms +} + +func findDocsWithString(output, selector string) []string { + var docs []string + for _, doc := range strings.Split(output, "---") { + if strings.Contains(doc, selector) { + docs = append(docs, doc) + } + } + return docs +} + +func parseDaemonSet(output string) appsv1.DaemonSet { + daemonSetDocIndex := 35 + daemonSetDoc := strings.Split(output, "---")[daemonSetDocIndex] + var daemonSet appsv1.DaemonSet + err := yaml.Unmarshal([]byte(daemonSetDoc), &daemonSet) + Expect(err).NotTo(HaveOccurred()) + return daemonSet +} + +func parseDeployment(output string) appsv1.Deployment { + deploymentDocIndex := 36 + deploymentDoc := strings.Split(output, "---") //[deploymentDocIndex] + var deployment appsv1.Deployment + err := yaml.Unmarshal([]byte(deploymentDoc[deploymentDocIndex]), &deployment) + Expect(err).NotTo(HaveOccurred()) + return deployment +} diff --git a/addons/packages/antrea/1.7.1-p1/test/go.mod b/addons/packages/antrea/1.7.1-p1/test/go.mod new file mode 100644 index 00000000000..456664424b2 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/test/go.mod @@ -0,0 +1,38 @@ +module github.com/vmware-tanzu/community-edition/addons/packages/antrea/1.7.1/test + +go 1.17 + +require ( + github.com/onsi/ginkgo v1.16.4 + github.com/onsi/gomega v1.16.0 + github.com/vmware-tanzu/community-edition/addons/packages/test/pkg v0.0.0-00010101000000-000000000000 + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b + k8s.io/api v0.22.1 + sigs.k8s.io/yaml v1.2.0 +) + +require ( + github.com/fsnotify/fsnotify v1.4.9 // indirect + github.com/go-logr/logr v0.4.0 // indirect + github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/google/go-cmp v0.5.5 // indirect + github.com/google/gofuzz v1.1.0 // indirect + github.com/json-iterator/go v1.1.11 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.1 // indirect + github.com/nxadm/tail v1.4.8 // indirect + golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 // indirect + golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 // indirect + golang.org/x/text v0.3.6 // indirect + golang.org/x/tools v0.0.0-20210106214847-113979e3529a // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + k8s.io/apimachinery v0.22.1 // indirect + k8s.io/klog/v2 v2.9.0 // indirect + k8s.io/utils v0.0.0-20210820185131-d34e5cb4466e // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect +) + +replace github.com/vmware-tanzu/community-edition/addons/packages/test/pkg => ../../../test/pkg diff --git a/addons/packages/antrea/1.7.1-p1/test/go.sum b/addons/packages/antrea/1.7.1-p1/test/go.sum new file mode 100644 index 00000000000..8ff86b191e9 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/test/go.sum @@ -0,0 +1,241 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc= +github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= +github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ= +github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= +github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.16.0 h1:6gjqkI8iiRHMvdccRJM8rVKjCWk6ZIm6FTm3ddIe4/c= +github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= +golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 h1:ADo5wSpq2gqaCGQWzk7S5vd//0iyyLeAratkEoG5dLE= +golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a h1:CB3a9Nez8M13wwlr/E2YtwoU+qYHKfC+JrDa45RXXoQ= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +k8s.io/api v0.22.1 h1:ISu3tD/jRhYfSW8jI/Q1e+lRxkR7w9UwQEZ7FgslrwY= +k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY= +k8s.io/apimachinery v0.22.1 h1:DTARnyzmdHMz7bFWFDDm22AM4pLWTQECMpRTFu2d2OM= +k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM= +k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= +k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= +k8s.io/utils v0.0.0-20210820185131-d34e5cb4466e h1:ldQh+neBabomh7+89dTpiFAB8tGdfVmuIzAHbvtl+9I= +k8s.io/utils v0.0.0-20210820185131-d34e5cb4466e/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno= +sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= +sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/addons/packages/antrea/1.7.1-p1/test/interworking/antrea-interworking_suite_test.go b/addons/packages/antrea/1.7.1-p1/test/interworking/antrea-interworking_suite_test.go new file mode 100644 index 00000000000..13b248df129 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/test/interworking/antrea-interworking_suite_test.go @@ -0,0 +1,55 @@ +// Copyright 2022 VMware Tanzu Community Edition contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package interworking_test + +import ( + "testing" + + "github.com/onsi/ginkgo" + "github.com/onsi/gomega" +) + +type AntreaInterworkingConfig struct { + AntreaNSX struct { + Enable bool `yaml:"enable"` + } `yaml:"antrea_nsx"` + AntreaInterworking struct { + Config struct { + NsxCert string `yaml:"nsxCert"` + NSXKey string `yaml:"nsxKey"` + NSXUser string `yaml:"nsxUser"` + NSXPassword string `yaml:"nsxPassword"` + ClusterName string `yaml:"clusterName"` + NSXManagers []string `yaml:"NSXManagers"` + vpcPath string `yaml:"vpcPath"` + MpAdapterConf struct { + NSXClientTimeout int `yaml:"NSXClientTimeout"` + InventoryBatchSize int `yaml:"InventoryBatchSize"` + InventoryBatchPeriod int `yaml:"InventoryBatchPeriod"` + EnableDebugServer bool `yaml:"EnableDebugServer"` + APIServerPort int `yaml:"APIServerPort"` + DebugServerPort int `yaml:"DebugServerPort"` + NSXRPCDebug bool `yaml:"NSXRPCDebug"` + ConditionTimeout int `yaml:"ConditionTimeout"` + } `yaml:"mp_adapter_conf"` + CCPAdapterConf struct { + EnableDebugServer bool `yaml:"EnableDebugServer"` + APIServerPort int `yaml:"APIServerPort"` + DebugServerPort int `yaml:"DebugServerPort"` + NSXRPCDebug bool `yaml:"NSXRPCDebug"` + RealizeTimeoutSeconds int `yaml:"RealizeTimeoutSeconds"` + RealizeErrorSyncIntervalSeconds int `yaml:"RealizeErrorSyncIntervalSeconds"` + ReconcilerWorkerCount int `yaml:"ReconcilerWorkerCount"` + ReconcilerQPS float32 `yaml:"ReconcilerQPS"` + ReconcilerBurst int `yaml:"ReconcilerBurst"` + ReconcilerResyncSeconds int `yaml:"ReconcilerResyncSeconds"` + } `yaml:"ccp_adapter_conf"` + } `yaml:"config"` + } `yaml:"antrea_interworking"` +} + +func TestAntreaInterworking(t *testing.T) { + gomega.RegisterFailHandler(ginkgo.Fail) + ginkgo.RunSpecs(t, "Antrea-interworking Addons Templates Suite") +} diff --git a/addons/packages/antrea/1.7.1-p1/test/interworking/antrea-interworking_test.go b/addons/packages/antrea/1.7.1-p1/test/interworking/antrea-interworking_test.go new file mode 100644 index 00000000000..6ec601999d8 --- /dev/null +++ b/addons/packages/antrea/1.7.1-p1/test/interworking/antrea-interworking_test.go @@ -0,0 +1,259 @@ +// Copyright 2022 VMware Tanzu Community Edition contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package interworking_test + +import ( + "fmt" + "os" + "path/filepath" + "strings" + + "github.com/onsi/ginkgo" + "github.com/onsi/gomega" + goyaml "gopkg.in/yaml.v3" + corev1 "k8s.io/api/core/v1" + "sigs.k8s.io/yaml" + + "github.com/vmware-tanzu/community-edition/addons/packages/test/pkg/repo" + "github.com/vmware-tanzu/community-edition/addons/packages/test/pkg/ytt" +) + +var ( + interworkingConfigName = "antrea-interworking-config" + interworkingBootstrapConfigmap = "bootstrap-config" + + // data header overwritten + dataHeader = `#@data/values +#@overlay/match-child-defaults missing_ok=True +---` +) + +func findConfigMapByName(cms []corev1.ConfigMap, name string) *corev1.ConfigMap { + for _, cm := range cms { + if cm.Name == name { + return &cm + } + } + return nil +} + +func unmarshalConfigMaps(output string) []corev1.ConfigMap { + docs := findDocsWithString(output, "kind: ConfigMap") + cms := make([]corev1.ConfigMap, len(docs)) + for i, doc := range docs { + var cm corev1.ConfigMap + err := yaml.Unmarshal([]byte(doc), &cm) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + cms[i] = cm + } + return cms +} + +func findDocsWithString(output, selector string) []string { + var docs []string + for _, doc := range strings.Split(output, "---") { + if strings.Contains(doc, selector) { + docs = append(docs, doc) + } + } + return docs +} + +func marshalAntreaConfig(valuesFile string, settingFunc func(config *AntreaInterworkingConfig)) (string, error) { + var ( + err error + config *AntreaInterworkingConfig + ) + if config, err = loadAntreaConfig(valuesFile); err != nil { + return "", err + } + + // Overwrite values in the config pointer + settingFunc(config) + + content, err := goyaml.Marshal(config) + if err != nil { + return "", err + } + return fmt.Sprintf("%s\n%s", dataHeader, content), nil +} + +// loadAntreaConfig unmarshal the configuration file into AntreaConfig +func loadAntreaConfig(configFile string) (*AntreaInterworkingConfig, error) { + var ( + err error + content []byte + config = AntreaInterworkingConfig{} + ) + + if content, err = os.ReadFile(configFile); err != nil { + return nil, err + } + if err := goyaml.Unmarshal(content, &config); err != nil { + return nil, err + } + return &config, nil +} + +var _ = ginkgo.Describe("Antrea-interworking YTT Templates", func() { + var ( + filePaths []string + values string + output string + err error + + configDir = filepath.Join(repo.RootDir(), "addons/packages/antrea/1.7.1-p1/bundle/config") + fileAntreaInterworkingYaml = filepath.Join(configDir, "upstream/interworking.yaml") + fileAntreaInterworkingBootstrapYaml = filepath.Join(configDir, "upstream/bootstrap.yaml") + fileAntreaInterworkingOverlayYaml = filepath.Join(configDir, "overlay/interworking-overlay.yaml") + fileAntreaInterworkingBootstrapOverlayYaml = filepath.Join(configDir, "overlay/interworking-bootstrap-overlay.yaml") + fileValuesSchema = filepath.Join(configDir, "schema.yaml") + fileValuesYaml = filepath.Join(configDir, "values.yaml") + fileValuesStar = filepath.Join(configDir, "values.star") + ) + + ginkgo.BeforeEach(func() { + values = "" + }) + + ginkgo.JustBeforeEach(func() { + filePaths = []string{fileValuesSchema, fileValuesYaml, fileValuesStar, fileAntreaInterworkingOverlayYaml, + fileAntreaInterworkingBootstrapOverlayYaml, fileAntreaInterworkingYaml, fileAntreaInterworkingBootstrapYaml} + output, err = ytt.RenderYTTTemplate(ytt.CommandOptions{}, filePaths, strings.NewReader(values)) + }) + + ginkgo.Context("antrea-interworking default configuration", func() { + ginkgo.It("mp-adapter configuration", func() { + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), interworkingConfigName) + gomega.Expect(configMap).NotTo(gomega.BeNil()) + gomega.Expect(configMap.Data["mp-adapter.conf"]).To(gomega.MatchYAML(`--- +NSXRemoteAuth: false +NSXClientAuthCertFile: /etc/antrea/nsx-cert/tls.crt +NSXClientAuthKeyFile: /etc/antrea/nsx-cert/tls.key +NSXCAFile: "" +NSXInsecure: true +NSXClientTimeout: 120 +InventoryBatchSize: 50 +InventoryBatchPeriod: 5 +NSXRPCConnType: tnproxy +EnableDebugServer: false +APIServerPort: 16664 +DebugServerPort: 16666 +NSXRPCDebug: false +#in second +ConditionTimeout: 150`)) + gomega.Expect(configMap.Data["ccp-adapter.conf"]).To(gomega.MatchYAML(`--- +EnableDebugServer: false +APIServerPort: 16665 +DebugServerPort: 16667 +NSXRPCDebug: false +# Time to wait for realization +RealizeTimeoutSeconds: 60 +# An interval for regularly report latest realization error in background +RealizeErrorSyncIntervalSeconds: 600 +ReconcilerWorkerCount: 8 +# Average QPS = ReconcilerWorkerCount * ReconcilerQPS +ReconcilerQPS: 5.0 +# Peak QPS = ReconcilerWorkerCount * ReconcilerBurst +ReconcilerBurst: 10 +# 24 Hours +ReconcilerResyncSeconds: 86400`)) + }) + }) + + ginkgo.Context("antrea-interworking set antrea_nsx to false", func() { + ginkgo.BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaInterworkingConfig) { + config.AntreaInterworking.Config.MpAdapterConf.NSXClientTimeout = 100 + config.AntreaNSX.Enable = false + }) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + ginkgo.It("renders a ConfigMap with MpAdapterConf configuration", func() { + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), interworkingConfigName) + gomega.Expect(configMap).NotTo(gomega.BeNil()) + gomega.Expect(configMap.Data["mp-adapter.conf"]).To(gomega.ContainSubstring(`NSXClientTimeout: 120`)) + }) + }) + + ginkgo.Context("antrea-interworking with MpAdapterConf configuration", func() { + ginkgo.BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaInterworkingConfig) { + config.AntreaInterworking.Config.MpAdapterConf.NSXClientTimeout = 100 + config.AntreaNSX.Enable = true + }) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + ginkgo.It("renders a ConfigMap with MpAdapterConf configuration", func() { + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), interworkingConfigName) + gomega.Expect(configMap).NotTo(gomega.BeNil()) + gomega.Expect(configMap.Data["mp-adapter.conf"]).To(gomega.ContainSubstring(`NSXClientTimeout: 100`)) + }) + }) + + ginkgo.Context("antrea-interworking with mp_adapter_conf and ccp_adapter_conf", func() { + ginkgo.BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaInterworkingConfig) { + config.AntreaInterworking.Config.MpAdapterConf.EnableDebugServer = false + config.AntreaInterworking.Config.CCPAdapterConf.EnableDebugServer = true + config.AntreaNSX.Enable = true + }) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + ginkgo.It("renders a ConfigMap with mp_adapter_conf and ccp_adapter_conf", func() { + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), interworkingConfigName) + gomega.Expect(configMap).NotTo(gomega.BeNil()) + gomega.Expect(configMap.Data["mp-adapter.conf"]).To(gomega.ContainSubstring(`EnableDebugServer: false`)) + gomega.Expect(configMap.Data["ccp-adapter.conf"]).To(gomega.ContainSubstring(`EnableDebugServer: true`)) + }) + }) + + ginkgo.Context("antrea-interworking with mp_adapter_conf and ccp_adapter_conf", func() { + ginkgo.BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaInterworkingConfig) { + config.AntreaInterworking.Config.MpAdapterConf.EnableDebugServer = false + config.AntreaInterworking.Config.CCPAdapterConf.EnableDebugServer = true + config.AntreaNSX.Enable = true + }) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + ginkgo.It("renders a ConfigMap with mp_adapter_conf and ccp_adapter_conf", func() { + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), interworkingConfigName) + gomega.Expect(configMap).NotTo(gomega.BeNil()) + gomega.Expect(configMap.Data["mp-adapter.conf"]).To(gomega.ContainSubstring(`EnableDebugServer: false`)) + gomega.Expect(configMap.Data["ccp-adapter.conf"]).To(gomega.ContainSubstring(`EnableDebugServer: true`)) + }) + }) + + ginkgo.Context("antrea-interworking default bootstrap configuration", func() { + ginkgo.It("default bootstrap configuration", func() { + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), interworkingBootstrapConfigmap) + gomega.Expect(configMap).NotTo(gomega.BeNil()) + gomega.Expect(configMap.Data["bootstrap.conf"]).To(gomega.ContainSubstring(`clusterName: dummyClusterName`)) + }) + }) + + ginkgo.Context("antrea-interworking bootstrap configuration", func() { + ginkgo.BeforeEach(func() { + values, err = marshalAntreaConfig(fileValuesYaml, func(config *AntreaInterworkingConfig) { + config.AntreaInterworking.Config.NSXKey = "fake-cert" + config.AntreaInterworking.Config.ClusterName = "fake-clusterName" + config.AntreaNSX.Enable = true + }) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + ginkgo.It("renders a ConfigMap with bootstrap.conf", func() { + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + configMap := findConfigMapByName(unmarshalConfigMaps(output), interworkingBootstrapConfigmap) + gomega.Expect(configMap).NotTo(gomega.BeNil()) + gomega.Expect(configMap.Data["bootstrap.conf"]).To(gomega.ContainSubstring(`clusterName: fake-clusterName`)) + }) + }) +})