Support OVS bridge creation for secondary network

Add OVS bridge configuration to the secondary network configuration in antrea-agent.conf, which specifies the OVS bridges for Pod secondary networks and also physical interfaces of the bridges. At the moment, only a single bridge is supported and at most one physical interface can be configured on the bridge. antrea-agent will automatically create the OVS bridge and connects the physical interface (if specified) to the bridge, when the bridge is specified in the secondary network configuration and does not exist on the host. Signed-off-by: Jianjun Shen <shenj@vmware.com>
antrea-io · Jul 29, 2023 · 3033f4d · 3033f4d
1 parent 652c721
commit 3033f4d
Show file tree

Hide file tree

Showing 23 changed files with 533 additions and 176 deletions.
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -68,9 +68,9 @@ Kubernetes: `>= 1.16.0-0`
 | controller.tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"}]` | Tolerations for the antrea-controller Pod. |
 | defaultMTU | int | `0` | Default MTU to use for the host gateway interface and the network interface of each Pod. By default, antrea-agent will discover the MTU of the Node's primary interface and adjust it to accommodate for tunnel encapsulation overhead if applicable. |
 | disableTXChecksumOffload | bool | `false` | Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. It affects Pods running on Linux Nodes only. |
-| dnsServerOverride | string | `""` | Address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. |
+| dnsServerOverride | string | `""` | Address of DNS server, to override the kube-dns Service. It's used to resolve hostnames in a FQDN policy. |
 | egress.exceptCIDRs | list | `[]` | CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. |
-| egress.maxEgressIPsPerNode | int | `255` | The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255. |
+| egress.maxEgressIPsPerNode | int | `255` | The maximum number of Egress IPs that can be assigned to a Node. It is useful when the Node network restricts the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255. |
 | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
 | featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. |
 | flowExporter.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
@@ -107,12 +107,7 @@ Kubernetes: `>= 1.16.0-0`
 | nodePortLocal.portRange | string | `"61000-62000"` | Port range used by NodePortLocal when creating Pod port mappings. |
 | ovs.bridgeName | string | `"br-int"` | Name of the OVS bridge antrea-agent will create and use. |
 | ovs.hwOffload | bool | `false` | Enable hardware offload for the OVS bridge (required additional configuration). |
-| secondaryNetwork.ovs.datapathType | string | `"system"` | 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run OVS in userspace mode. Userspace mode requires the tun device driver to be available. |
-| secondaryNetwork.ovs.enable | bool | `false` | Enable OVS bridge configuration for secondary network. |
-| secondaryNetwork.ovs.integrationBridgeName | string | `"br-secnet-int"` | Secondary network OVS integration bridge name. |
-| secondaryNetwork.ovs.patchPort | string | `"br-secnet-patch0"` | Name of the OVS patch port which connects the integration and transport bridge. |
-| secondaryNetwork.ovs.transportBridgeName | string | `"br-secnet-trans"` | Secondary network OVS transport bridge name. |
-| secondaryNetwork.tunnelType | string | `"geneve"` | Tunnel protocol used for encapsulating traffic across Nodes. It must be one of "geneve", "vxlan", "gre", "stt". |
+| secondaryNetwork.ovsBridges | list | `[]` | Configuration of OVS bridges for secondary network. At the moment, at most one OVS bridge can be specified. If the specified bridge does not exist on the Node, antrea-agent will create it based on the configuration. The following configuration specifies an OVS bridge with name "br1" and a physical interface "eth1": [{bridgeName: "br1", physicalInterfaces: ["eth1"]}] |
 | serviceCIDR | string | `""` | IPv4 CIDR range used for Services. Required when AntreaProxy is disabled. |
 | serviceCIDRv6 | string | `""` | IPv6 CIDR range used for Services. Required when AntreaProxy is disabled. |
 | testing.coverage | bool | `false` | Enable code coverage measurement (used when testing Antrea only). |

diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -254,14 +254,15 @@ nodePortLocal:
   portRange: {{ .portRange | quote }}
 {{- end }}
 
-# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-# It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+# InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
 # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
 kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }}
 
-# Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-# Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-# [fd00:10:96::a]:53).
+# Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+# hostnames in a FQDN policy.
+# Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+# 10.96.0.10:53, [fd00:10:96::a]:53).
 dnsServerOverride: {{ .Values.dnsServerOverride | quote }}
 
 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -402,24 +403,8 @@ multicluster:
 
 secondaryNetwork:
 {{- with .Values.secondaryNetwork }}
-  # OVS bridge configuration for secondary network.
-  ovs:
-    # Enable OVS bridge configuration for secondary network.
-    enable: {{ .ovs.enable }}
-    # Secondary network OVS integration bridge name. Ensure it doesn't conflict with your existing OpenVSwitch bridges.
-    integrationBridgeName: {{ .ovs.integrationBridgeName | quote }}
-    # Secondary network OVS transport bridge name. Ensure it doesn't conflict with your existing OpenVSwitch bridges.
-    transportBridgeName: {{ .ovs.transportBridgeName | quote }}
-    # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
-    # - system
-    # - netdev
-    # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
-    # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
-    datapathType: {{ .ovs.datapathType | quote }}
-    # Name of the OVS patch port which connects the integration and transport bridge.
-    patchPort: {{ .ovs.patchPort | quote }}
-  # Tunnel protocol used for encapsulating traffic across Nodes. It must be one
-  # of "geneve", "vxlan", "gre", "stt".
-  tunnelType: {{ .tunnelType | quote }}
+  # Configuration of OVS bridges for secondary network.
+  ovsBridges:
+    {{- toYaml .ovsBridges | trim | nindent 6 }}
 {{- end }}
 {{- end }}
diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -74,24 +74,13 @@ ovs:
   hwOffload: false
 
 secondaryNetwork:
-  ovs:
-    # -- Enable OVS bridge configuration for secondary network.
-    enable: false
-    # -- Secondary network OVS integration bridge name.
-    integrationBridgeName: "br-secnet-int"
-    # -- Secondary network OVS transport bridge name.
-    transportBridgeName: "br-secnet-trans"
-    # -- Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
-    # - system
-    # - netdev
-    # -- 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
-    # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
-    datapathType: "system"
-    # -- Name of the OVS patch port which connects the integration and transport bridge.
-    patchPort: "br-secnet-patch0"
-  # -- Tunnel protocol used for encapsulating traffic across Nodes. It must be one
-  # of "geneve", "vxlan", "gre", "stt".
-  tunnelType: "geneve"
+  # -- Configuration of OVS bridges for secondary network. At the moment, at
+  # most one OVS bridge can be specified. If the specified bridge does not exist
+  # on the Node, antrea-agent will create it based on the configuration.
+  # The following configuration specifies an OVS bridge with name "br1" and a
+  # physical interface "eth1":
+  # [{bridgeName: "br1", physicalInterfaces: ["eth1"]}]
+  ovsBridges: []
 
 wireGuard:
   # -- Port for WireGuard to send and receive traffic.
@@ -113,8 +102,9 @@ ipsec:
 egress:
   # -- CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
   exceptCIDRs: []
-  # -- The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts
-  # the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255.
+  # -- The maximum number of Egress IPs that can be assigned to a Node. It is
+  # useful when the Node network restricts the number of secondary IPs a Node
+  # can have, e.g. EKS. It must not be greater than 255.
   maxEgressIPsPerNode: 255
 
 nodePortLocal:
@@ -141,8 +131,8 @@ antreaProxy:
   # will only handle Services without the "service.kubernetes.io/service-proxy-name"
   # label, but ignore Services with the label no matter what is the value.
   serviceProxyName: ""
-  # -- Determines how external traffic is processed when it's load balanced across Nodes by default. It must be one of "nat" or
-  # "dsr".
+  # -- Determines how external traffic is processed when it's load balanced
+  # across Nodes by default. It must be one of "nat" or "dsr".
   defaultLoadBalancerMode: "nat"
 
 nodeIPAM:
@@ -162,8 +152,8 @@ nodeIPAM:
 # -- Address of Kubernetes apiserver, to override any value provided in
 # kubeconfig or InClusterConfig.
 kubeAPIServerOverride: ""
-# -- Address of DNS server, to override the kube-dns service. It's used to
-# resolve hostname in FQDN policy.
+# -- Address of DNS server, to override the kube-dns Service. It's used to
+# resolve hostnames in a FQDN policy.
 dnsServerOverride: ""
 # -- IPv4 CIDR range used for Services. Required when AntreaProxy is disabled.
 serviceCIDR: ""

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -5698,14 +5698,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -6804,7 +6805,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 07b3b1a7e87c45fa8e85c8cd5aea680835560c857761b708f01afbe4649648b1
+        checksum/config: 842b09f2bdb613d4e1837ef9ccb414b0a1ac43bc46805521fda8d11c29b278bd
       labels:
         app: antrea
         component: antrea-agent
@@ -7045,7 +7046,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 07b3b1a7e87c45fa8e85c8cd5aea680835560c857761b708f01afbe4649648b1
+        checksum/config: 842b09f2bdb613d4e1837ef9ccb414b0a1ac43bc46805521fda8d11c29b278bd
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -5698,14 +5698,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -6804,7 +6805,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 07b3b1a7e87c45fa8e85c8cd5aea680835560c857761b708f01afbe4649648b1
+        checksum/config: 842b09f2bdb613d4e1837ef9ccb414b0a1ac43bc46805521fda8d11c29b278bd
       labels:
         app: antrea
         component: antrea-agent
@@ -7046,7 +7047,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 07b3b1a7e87c45fa8e85c8cd5aea680835560c857761b708f01afbe4649648b1
+        checksum/config: 842b09f2bdb613d4e1837ef9ccb414b0a1ac43bc46805521fda8d11c29b278bd
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -5698,14 +5698,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -6804,7 +6805,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ec71f227c0b41f1bfb349d25289c121f4e905531d5e6e9168275a2edc14f59b1
+        checksum/config: 7be22072a066fea51fa0f9f6f6eb77aff17b8944e8bf8be22d0e2685fc3cc4b8
       labels:
         app: antrea
         component: antrea-agent
@@ -7043,7 +7044,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ec71f227c0b41f1bfb349d25289c121f4e905531d5e6e9168275a2edc14f59b1
+        checksum/config: 7be22072a066fea51fa0f9f6f6eb77aff17b8944e8bf8be22d0e2685fc3cc4b8
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -5711,14 +5711,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -6817,7 +6818,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: dce874662f16b9a7b37ec65575d517e85d4e031e6af8731f8cf92535ebf53451
+        checksum/config: af36d584694a3efba3367f408a8cd40b44f938097fdba0d154bd532bd299243a
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -7102,7 +7103,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: dce874662f16b9a7b37ec65575d517e85d4e031e6af8731f8cf92535ebf53451
+        checksum/config: af36d584694a3efba3367f408a8cd40b44f938097fdba0d154bd532bd299243a
       labels:
         app: antrea
         component: antrea-controller