Add e2e test for VLAN secondary network

Signed-off-by: Jianjun Shen <shenj@vmware.com>

.github/workflows/kind.yml

@@ -509,6 +509,51 @@ jobs:
         path: log.tar.gz
         retention-days: 30
 
+  test-secondary-network:
+    name: Antrea-native (VLAN) secondary network tests on a Kind cluster on Linux
+    needs: [build-antrea-coverage-image]
+    runs-on: [ubuntu-latest]
+    steps:
+    - name: Free disk space
+      # https://github.com/actions/virtual-environments/issues/709
+      run: |
+        sudo apt-get clean
+        df -h
+    - uses: actions/checkout@v4
+      with:
+        show-progress: false
+    - uses: actions/setup-go@v4
+      with:
+        go-version-file: 'go.mod'
+    - name: Download Antrea image from previous job
+      uses: actions/download-artifact@v3
+      with:
+        name: antrea-ubuntu-cov
+    - name: Load Antrea image
+      run: |
+        docker load -i antrea-ubuntu.tar
+        docker tag antrea/antrea-ubuntu-coverage:latest antrea/antrea-ubuntu:latest
+    - name: Install Kind
+      run: |
+        KIND_VERSION=$(head -n1 ./ci/kind/version)
+        curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-$(uname)-amd64
+        chmod +x ./kind
+        sudo mv kind /usr/local/bin
+    - name: Run secondary network tests
+      run: |
+        mkdir log
+        ANTREA_LOG_DIR=$PWD/log ./ci/kind/test-secondary-network-kind.sh
+    - name: Tar log files
+      if: ${{ failure() }}
+      run: tar -czf log.tar.gz log
+    - name: Upload test log
+      uses: actions/upload-artifact@v3
+      if: ${{ failure() }}
+      with:
+        name: secondary-network.tar.gz
+        path: log.tar.gz
+        retention-days: 30
+
   test-upgrade-from-N-1:
     name: Upgrade from Antrea version N-1
     needs: build-antrea-coverage-image

build/charts/antrea/conf/antrea-agent.conf

@@ -427,7 +427,7 @@ secondaryNetwork:
 {{- with .Values.secondaryNetwork }}
   # Configuration of OVS bridges for secondary network.
   ovsBridges:
-    {{- toYaml .ovsBridges | trim | nindent 6 }}
+  {{- toYaml .ovsBridges | trim | nindent 4 }}
 {{- end }}
 
 {{- end }}

ci/kind/test-secondary-network-kind.sh

@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 Antrea Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# The script runs NetworkPolicy conformance tests on Kind with different traffic encapsulation modes.
+
+set -eo pipefail
+
+function echoerr {
+    >&2 echo "$@"
+}
+
+_usage="Usage: $0 [--setup-only|--test-only|--cleanup-only] [--help|-h]
+        --setup-only                  Only perform setting up the cluster and run test.
+        --test-only                   Only run test on current cluster. Not set up/clean up the cluster.
+        --cleanup-only                Only perform cleaning up the cluster.
+        --help, -h                    Print this message and exit.
+"
+
+function print_usage {
+    echoerr -n "$_usage"
+}
+
+TESTBED_CMD=$(dirname $0)"/kind-setup.sh"
+YML_CMD=$(dirname $0)"/../../hack/generate-manifest.sh"
+ATTACHMENT_DEFINITION_YAML=$(dirname $0)"/../../test/e2e-secondary-network/infra/network-attachment-definition-crd.yml"
+SECONDARY_NETWORKS_YAML=$(dirname $0)"/../../test/e2e-secondary-network/infra/secondary-networks.yml"
+
+TIMEOUT="5m"
+MANIFEST_ARGS="--secondary-bridge br-secondary"
+# Antrea is deployed by this script. Do not deploy it again in the test.
+TEST_OPTIONS="--logs-export-dir=$ANTREA_LOG_DIR --deploy-antrea=false"
+
+setup_only=false
+cleanup_only=false
+test_only=false
+
+function quit {
+  result=$?
+  if [[ $setup_only || $test_only ]]; then
+    exit $result
+  fi
+  echoerr "Cleaning testbed"
+  $TESTBED_CMD destroy kind
+}
+
+while [[ $# -gt 0 ]]
+do
+key="$1"
+
+case $key in
+    --setup-only)
+    setup_only=true
+    shift
+    ;;
+    --cleanup-only)
+    cleanup_only=true
+    shift
+    ;;
+    --test-only)
+    test_only=true
+    shift
+    ;;
+    -h|--help)
+    print_usage
+    exit 0
+    ;;
+    *)    # unknown option
+    echoerr "Unknown option $1"
+    exit 1
+    ;;
+esac
+done
+
+if [[ $cleanup_only == "true" ]];then
+  $TESTBED_CMD destroy kind
+  exit 0
+fi
+
+trap "quit" INT EXIT
+
+IMAGE_LIST=("projects.registry.vmware.com/antrea/busybox" \
+            "antrea/antrea-ubuntu:latest")
+
+printf -v IMAGES "%s " "${IMAGE_LIST[@]}"
+
+function setup_cluster {
+  args=$1
+  echo "creating test bed with args $args"
+  eval "timeout 600 $TESTBED_CMD create kind $args"
+}
+
+function run_test {
+  echo "Generating Antrea manifest with args $MANIFEST_ARGS"
+  $YML_CMD $MANIFEST_ARGS | kubectl apply -f -
+
+  # Wait for antrea-controller start to make sure the IPPool validation webhook is ready.
+  kubectl rollout status --timeout=1m deployment.apps/antrea-controller -n kube-system
+  kubectl apply -f $ATTACHMENT_DEFINITION_YAML
+  kubectl apply -f $SECONDARY_NETWORKS_YAML
+
+  go test -v -timeout=$TIMEOUT antrea.io/antrea/test/e2e-secondary-network -run=TestVLANNetwork -provider=kind $TEST_OPTIONS
+}
+
+echo "======== Testing Antrea-native secondary network support =========="
+if [[ $test_only == "false" ]];then
+  setup_cluster "--extra-networks \"20.20.20.0/24\" --images \"$IMAGES\""
+fi
+run_test
+exit 0

hack/generate-manifest.sh

@@ -20,31 +20,33 @@ function echoerr {
     >&2 echo "$@"
 }
 
-_usage="Usage: $0 [--mode (dev|release)] [--encap-mode] [--ipsec] [--tun (geneve|vxlan|gre|stt)] [--verbose-log] [--help|-h]
+_usage="Usage: $0 [--mode (dev|release)] [--encap-mode (mode)] [--ipsec] [--tun (geneve|vxlan|gre|stt)] [--verbose-log]
 Generate a YAML manifest for Antrea using Helm and print it to stdout.
-        --mode (dev|release)          Choose the configuration variant that you need (default is 'dev')
-        --encap-mode                  Traffic encapsulation mode. (default is 'encap')
-        --cloud                       Generate a manifest appropriate for running Antrea in Public Cloud
-        --ipsec                       Generate a manifest with IPsec encryption of tunnel traffic enabled
+        --mode (dev|release)          Choose the configuration variant that you need (default is 'dev').
+        --encap-mode (mode)           Traffic encapsulation mode (default is 'encap').
+        --cloud                       Generate a manifest appropriate for running Antrea in Public Cloud.
+        --ipsec                       Generate a manifest with IPsec encryption of tunnel traffic enabled.
         --feature-gates               A comma-separated list of key=value pairs that describe feature gates, e.g. TrafficControl=true,Egress=false.
-        --proxy-all                   Generate a manifest with Antrea proxy with all Service support enabled
-        --tun (geneve|vxlan|gre|stt)  Choose encap tunnel type from geneve, gre, stt and vxlan (default is geneve)
-        --verbose-log                 Generate a manifest with increased log-level (level 4) for Antrea agent and controller.
-                                      This option will work only in 'dev' mode.
+        --proxy-all                   Generate a manifest with Antrea proxy with all Service support enabled.
+        --tun (geneve|vxlan|gre|stt)  Choose encap tunnel type from geneve, gre, stt and vxlan (default is geneve).
         --on-delete                   Generate a manifest with antrea-agent's update strategy set to OnDelete.
                                       This option will work only in 'dev' mode.
-        --coverage                    Generates a manifest which supports measuring code coverage of Antrea binaries.
-        --simulator                   Generates a manifest with antrea-agent simulator included
-        --custom-adm-controller       Generates a manifest with custom Antrea admission controller to validate/mutate resources.
-        --hw-offload                  Generates a manifest with hw-offload enabled in the antrea-ovs container.
-        --sriov                       Generates a manifest which enables use of Kubelet API for SR-IOV device info.
-        --flexible-ipam               Generates a manifest with flexible IPAM enabled.
-        --whereabouts                 Generates a manifest which enables whereabouts configuration for secondary network IPAM.
-        --help, -h                    Print this message and exit
-        --multicast                   Generates a manifest for multicast.
-        --multicast-interfaces        Multicast interface names (default is empty)
-        --extra-helm-values-file      Optional extra helm values file to override the default config values
-        --extra-helm-values           Optional extra helm values to override the default config values
+        --coverage                    Generate a manifest which supports measuring code coverage of Antrea binaries.
+        --simulator                   Generate a manifest with antrea-agent simulator included.
+        --custom-adm-controller       Generate a manifest with custom Antrea admission controller to validate/mutate resources.
+        --flexible-ipam               Generate a manifest with flexible IPAM enabled.
+        --hw-offload                  Generate a manifest with hw-offload enabled in the antrea-ovs container.
+        --sriov                       Generate a manifest which enables use of kubelet API for SR-IOV device info.
+        --secondary-bridge (bridge)   Generate a manifest wich enables secondary network and creates a secondary OVS bridge.
+        --physical-interface (device) Specify the physical interface of the secondary OVS bridge.
+        --whereabouts                 Generate a manifest which enables whereabouts configuration for secondary network IPAM.
+        --multicast                   Generate a manifest for multicast.
+        --multicast-interfaces        Multicast interface names (default is empty).
+        --extra-helm-values-file      Optional extra helm values file to override the default config values.
+        --extra-helm-values           Optional extra helm values to override the default config values.
+        --verbose-log                 Generate a manifest with increased log-level (level 4) for Antrea agent and controller.
+                                      This option will work only in 'dev' mode.
+        --help, -h                    Print this message and exit.
 
 In 'release' mode, environment variables IMG_NAME and IMG_TAG must be set.
 
@@ -76,10 +78,12 @@ COVERAGE=false
 K8S_115=false
 SIMULATOR=false
 CUSTOM_ADM_CONTROLLER=false
+FLEXIBLE_IPAM=false
 HW_OFFLOAD=false
 SRIOV=false
+SECONDARY_BRIDGE=""
+PHYSICAL_INTERFACE=""
 WHEREABOUTS=false
-FLEXIBLE_IPAM=false
 MULTICAST=false
 MULTICAST_INTERFACES=""
 HELM_VALUES_FILES=()
@@ -128,10 +132,6 @@ case $key in
     TUN_TYPE="$2"
     shift 2
     ;;
-    --verbose-log)
-    VERBOSE_LOG=true
-    shift
-    ;;
     --on-delete)
     ON_DELETE=true
     shift
@@ -148,17 +148,25 @@ case $key in
     CUSTOM_ADM_CONTROLLER=true
     shift
     ;;
+    --flexible-ipam)
+    FLEXIBLE_IPAM=true
+    shift
+    ;;
     --hw-offload)
     HW_OFFLOAD=true
     shift
     ;;
     --sriov)
     SRIOV=true
     shift
-    ;;   
-    --flexible-ipam)
-    FLEXIBLE_IPAM=true
-    shift
+    ;;
+    --secondary-bridge)
+    SECONDARY_BRIDGE="$2"
+    shift 2
+    ;;
+    --physical-interface)
+    PHYSICAL_INTERFACE="$2"
+    shift 2
     ;;
     --whereabouts)
     WHEREABOUTS=true
@@ -184,6 +192,10 @@ case $key in
     HELM_VALUES+=("$2")
     shift 2
     ;;
+    --verbose-log)
+    VERBOSE_LOG=true
+    shift
+    ;;
     -h|--help)
     print_usage
     exit 0
@@ -328,6 +340,20 @@ EOF
     HELM_VALUES_FILES+=("$TMP_DIR/sriov.yml")
 fi
 
+if [[ $SECONDARY_BRIDGE != "" ]]; then
+    if [[ $PHYSICAL_INTERFACE != "" ]]; then
+        ovs_bridges="[{bridgeName: $SECONDARY_BRIDGE, physicalInterfaces: [$PHYSICAL_INTERFACE]}]"
+    else
+        ovs_bridges="[{bridgeName: \"$SECONDARY_BRIDGE\"}]"
+    fi
+    cat << EOF > $TMP_DIR/secondary-network.yml
+secondaryNetwork:
+  ovsBridges: $ovs_bridges
+EOF
+    HELM_VALUES+=("featureGates.SecondaryNetwork=true" "featureGates.AntreaIPAM=true")
+    HELM_VALUES_FILES+=("$TMP_DIR/secondary-network.yml")
+fi
+
 if $WHEREABOUTS; then
     HELM_VALUES+=("whereabouts.enable=true")
 fi

pkg/agent/secondarynetwork/podwatch/controller.go

@@ -231,10 +231,13 @@ func (pc *PodController) handleAddUpdatePod(obj interface{}) error {
 	}
 
 	err = pc.configurePodSecondaryNetwork(pod, networklist, podCNIInfo)
-	// We do not return error to retry, if at least one secondary network is configured.
-	if (err != nil) && (len(podCNIInfo.Interfaces) == 0) {
-		// Return error to requeue and retry.
-		return err
+	if err != nil {
+		if len(podCNIInfo.Interfaces) == 0 {
+			// Return error to requeue and retry.
+			return err
+		}
+		// We do not return error to retry, if at least one secondary network is configured.
+		klog.ErrorS(err, "Error when configuring secondary network", "pod", klog.KObj(pod))
 	}
 	return nil
 }