Tidy up deprecated options

Following options are removed since they have been deprecated
for a long time.

```
enableIPSecTunnel
nplPortRange
multicastInterfaces
multicluster.enable
legacyCRDMirroring
```

Signed-off-by: Lan Luo <luola@vmware.com>

cmd/antrea-agent/agent.go

@@ -194,10 +194,6 @@ func run(o *Options) error {
 
 	_, encapMode := config.GetTrafficEncapModeFromStr(o.config.TrafficEncapMode)
 	_, encryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.TrafficEncryptionMode)
-	if o.config.EnableIPSecTunnel {
-		klog.InfoS("enableIPSecTunnel is deprecated, use trafficEncryptionMode instead.")
-		encryptionMode = config.TrafficEncryptionModeIPSec
-	}
 	_, ipsecAuthenticationMode := config.GetIPsecAuthenticationModeFromStr(o.config.IPsec.AuthenticationMode)
 
 	networkConfig := &config.NetworkConfig{

cmd/antrea-agent/options.go

@@ -335,10 +335,6 @@ func (o *Options) validateMulticastConfig() error {
 		for _, version := range o.config.Multicast.IGMPQueryVersions {
 			o.igmpQueryVersions = append(o.igmpQueryVersions, uint8(version))
 		}
-		if len(o.config.Multicast.MulticastInterfaces) == 0 && len(o.config.MulticastInterfaces) > 0 {
-			klog.InfoS("The multicastInterfaces option is deprecated, please use multicast.multicastInterfaces instead")
-			o.config.Multicast.MulticastInterfaces = o.config.MulticastInterfaces
-		}
 	} else if o.config.Multicast.Enable {
 		klog.InfoS("The multicast.enable config option is set to true, but it will be ignored because the Multicast feature gate is disabled")
 	}
@@ -466,12 +462,7 @@ func (o *Options) setK8sNodeDefaultOptions() {
 	}
 
 	if o.config.NodePortLocal.Enable {
-		switch {
-		case o.config.NodePortLocal.PortRange != "":
-		case o.config.NPLPortRange != "":
-			klog.InfoS("The nplPortRange option is deprecated, please use nodePortLocal.portRange instead")
-			o.config.NodePortLocal.PortRange = o.config.NPLPortRange
-		default:
+		if o.config.NodePortLocal.PortRange == "" {
 			o.config.NodePortLocal.PortRange = defaultNPLPortRange
 		}
 	}
@@ -486,13 +477,6 @@ func (o *Options) setK8sNodeDefaultOptions() {
 	}
 
 	if features.DefaultFeatureGate.Enabled(features.Multicluster) {
-		if o.config.Multicluster.Enable {
-			// Multicluster.Enable is deprecated but it may be set by an earlier version
-			// deployment manifest. If it is set to true, pass the value to
-			// Multicluster.EnableGateway.
-			o.config.Multicluster.EnableGateway = true
-		}
-
 		if o.config.Multicluster.EnableGateway && o.config.Multicluster.Namespace == "" {
 			o.config.Multicluster.Namespace = env.GetPodNamespace()
 		}
@@ -640,9 +624,6 @@ func (o *Options) validateExternalNodeOptions() error {
 	if o.config.NodePortLocal.Enable {
 		unsupported = append(unsupported, "NodePortLocal")
 	}
-	if o.config.EnableIPSecTunnel {
-		unsupported = append(unsupported, "EnableIPSecTunnel")
-	}
 	if unsupported != nil {
 		return fmt.Errorf("unsupported features on Virtual Machine: {%s}", strings.Join(unsupported, ", "))
 	}

cmd/antrea-agent/options_linux_test.go

@@ -46,23 +46,6 @@ func TestMulticlusterOptions(t *testing.T) {
 			featureGate: true,
 			expectedErr: "",
 		},
-		{
-			name: "Enable",
-			mcConfig: agentconfig.MulticlusterConfig{
-				Enable: true,
-			},
-			featureGate: true,
-			expectedErr: "",
-		},
-		{
-			name: "Enable and EnableGateway",
-			mcConfig: agentconfig.MulticlusterConfig{
-				Enable:        true,
-				EnableGateway: true,
-			},
-			featureGate: true,
-			expectedErr: "",
-		},
 		{
 			name: "EnableGateway and EnableStretchedNetworkPolicy",
 			mcConfig: agentconfig.MulticlusterConfig{
@@ -112,10 +95,10 @@ func TestMulticlusterOptions(t *testing.T) {
 			o := &Options{config: config, enableAntreaProxy: true}
 			features.DefaultMutableFeatureGate.SetFromMap(o.config.FeatureGates)
 			o.setDefaults()
-			if tt.mcConfig.Enable && tt.featureGate {
+			if tt.mcConfig.EnableGateway && tt.featureGate {
 				assert.True(t, o.config.Multicluster.EnableGateway)
 			}
-			if !tt.mcConfig.Enable && !tt.mcConfig.EnableGateway {
+			if !tt.mcConfig.EnableGateway {
 				assert.False(t, o.config.Multicluster.EnableGateway)
 			}
 

cmd/antrea-controller/options.go

@@ -81,10 +81,6 @@ func (o *Options) validate(args []string) error {
 		}
 	}
 
-	if o.config.LegacyCRDMirroring != nil {
-		klog.InfoS("The legacyCRDMirroring config option is deprecated and will be ignored (no CRD mirroring)")
-	}
-
 	if !features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableStretchedNetworkPolicy {
 		klog.InfoS("Multicluster feature gate is disabled. Multicluster.EnableStretchedNetworkPolicy is ignored")
 	}

docs/api.md

@@ -81,156 +81,7 @@ These are the API group versions which are currently available when using Antrea
 
 | CRD | CRD version | Introduced in | Deprecated in | Removed in |
 |---|---|---|---|---|
+| `ClusterGroup` | v1alpha2 | v1.0.0 | v1.1.0 | v1.12.0 [^1] |
 
-## API renaming from `*.antrea.tanzu.vmware.com` to `*.antrea.io`
-
-For the v1.0 release, we undertook to rename all Antrea APIs to use the
-`antrea.io` suffix instead of the `antrea.tanzu.vmware.com` suffix. For more
-information about the motivations behind this undertaking, please refer to
-[Github issue #1715](https://github.com/antrea-io/antrea/issues/1715).
-
-From the v1.6 release, all legacy APIs (ending with the
-`antrea.tanzu.vmware.com` suffix) have been completely removed. If you are
-running an Antrea version older than v1.0 and you want to upgrade to Antrea v1.6
-or greater and migrate your API resources, you will first need to do an
-intermediate upgrade to an Antrea version >= v1.0 and <= v1.5. You will then be
-able to migrate all your API resources to the new (`*.antrea.io`) API, by
-following the steps below. Finally, you will be able to upgrade to your desired
-Antrea version (>= v1.6).
-
-As part of the API renaming, and to avoid proliferation of API groups, we have
-decided to group all the Custom Resource Definitions (CRDs) defined by Antrea in
-a single API group: `crd.antrea.io`.
-
-To avoid disruptions to existing Antrea users, our requirements for this
-renaming process were as follows:
-
-1. As per our [upgrade
-   policy](versioning.md#antrea-upgrade-and-supported-version-skew), older
-   Agents need to be able to communicate with a new upgraded Controller, using
-   the old `controlplane.antrea.tanzu.vmware.com` API. Once both the Controller
-   and the Agent are upgraded, they communicate using `controlplane.antrea.io`.
-2. API Services can be accessed using either API version.
-3. After upgrade, Custom Resources can be managed using either API
-   version. Resources created using the old API (before or after upgrade) can be
-   accessed using the new API (or the old one).
-4. For each resource in each API group, the new resource type should be
-   backward-compatible with the old resource type, and, whenever possible,
-   forward-compatible. This simplifies the upgrade of existing client
-   applications which leverage the Antrea API. These applications can be easily
-   upgraded to use the new API version, with no change to the business
-   logic. Custom Resources created before upgrading the application can be
-   accessed through the new API with no loss of information.
-
-To achieve our 3rd goal, we introduced a new Kubernetes controller in the Antrea
-Controller, in charge of mirroring "old" Custom Resources (created using the
-`*.antrea.tanzu.vmware.com` API groups) to the new (`*.antrea.io`) API. This new
-mirroring controller is enabled by default, but can be disabled by setting
-`legacyCRDMirroring` to `false` in the `antrea-controller` configuration
-options. Thanks to this controller, the Antrea components (Agent and Controller)
-only need to watch Custom Resources created with the new API group. If any
-client still uses the old (or "legacy") API groups, these Custom Resources will
-be mirrored to the new API group and handled as expected.
-
-The mirroring controller behaves as follows:
-
-* If a Custom Resource is created with the legacy API, it will create a new
-  Custom Resource with the same `Spec` and `Labels` as the legacy one.
-* Any update to the `Spec` and / or `Labels` of the legacy Custom Resource will
-  be reflected identically in the new Custom Resource.
-* Any update to the `Status` of the new mirrored Custom Resource (assuming it
-  has a `Status` field) will be reflected back identically in the legacy Custom
-  Resource.
-* If the legacy Custom Resource is deleted, the mirrored one will be deleted
-  automatically as well.
-* Manual updates to new mirrored Custom Resources will be overwritten by the
-  controller.
-* If a legacy Custom Resource is annotated with `"crd.antrea.io/stop-mirror"`,
-  it will then be ignored, and updates to the corresponding new Custom
-  Resource will no longer be overwritten.
-
-This gives us the following upgrade sequence for a client application which uses
-the legacy Antrea CRDs:
-
-1. Ensure that Antrea has been upgraded in the cluster to a version greater than
-   or equal to v1.0, and that legacy CRD mirroring is enabled (this is the case
-   by default).
-
-2. Check that all Custom Resources have been mirrored. All the new ones should
-   be annotated with `"crd.antrea.io/managed-by":
-   "crdmirroring-controller"`. The first command below will display all the
-   legacy AntreaNetworkPolicies (ANPs). The second one will display all the ones
-   which exist in the new `crd.antrea.io` API group. You can then compare the
-   two lists.
-
-   ```bash
-   kubectl get lanp.security.antrea.tanzu.vmware.com -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'
-   kubectl get anp.crd.antrea.io -o jsonpath='{range .items[?(@.metadata.annotations.crd\.antrea\.io/managed-by=="crdmirroring-controller")]}{.metadata.name}{"\n"}{end}'
-   ```
-
-3. Stop the old version of the application, which uses the legacy CRDs.
-
-4. Annotate all existing Custom Resources managed by the application with
-   `"crd.antrea.io/stop-mirror"`. From now on, the mirroring controller will
-   ignore these legacy resources: updates to the legacy resources (including
-   deletions) are not applied to the corresponding new resource any more, and
-   changes to the new resources are now possible (they will not be overwritten
-   by the controller). As an example, the command below will annotate *all* ANPs
-   in the current Namespace with `"crd.antrea.io/stop-mirror"`.
-
-   ```bash
-   kubectl annotate lanp.security.antrea.tanzu.vmware.com --all crd.antrea.io/stop-mirror=''
-   ```
-
-5. Check that none of the new Custom Resources still have the
-   `"crd.antrea.io/managed-by": "crdmirroring-controller"` annotation. Running
-   the same command as before should return an empty list:
-
-   ```bash
-   kubectl get anp.crd.antrea.io -o jsonpath='{range .items[?(@.metadata.annotations.crd\.antrea\.io/managed-by=="crdmirroring-controller")]}{.metadata.name}{"\n"}{end}'
-   ```
-
-   If you remove the filter, all your ANPs should still exist:
-
-   ```bash
-   kubectl get anp.crd.antrea.io -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'
-   ```
-
-6. Safely delete all legacy CRDs previously managed by the application. As an
-   example, the command below will delete *all* legacy ANPs in the current
-   Namespace:
-
-   ```bash
-   kubectl delete lanp.security.antrea.tanzu.vmware.com
-   ```
-
-   Once again, all new ANPs should still exist, which can be confirmed with:
-
-   ```bash
-   kubectl get anp.crd.antrea.io -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'
-   ```
-
-7. Start the new version of the application, which uses the new CRDs. All
-   mirrored Custom Resources should be available for the application to access.
-
-8. At this stage, if all applications have been updated, legacy CRD mirroring
-   can be disabled in the Antrea Controller configuration.
-
-Note that for CRDs which are "owned" by Antrea, `AntreaAgentInfo` and
-`AntreaControllerInfo`, resources are automatically created by the Antrea
-components using both API versions.
-
-### Deleting legacy Kubernetes resources after an upgrade
-
-After a successful upgrade from Antrea < v1.6 to Antrea >= v1.6, you may want to
-manually clean up legacy Kubernetes resources which were created by an old
-Antrea version but are no longer needed. Note that keeping these resource will
-not impact any Antrea functions.
-
-To delete these legacy resources (CRDs and webhooks), run:
-
-```bash
-kubectl get crds -o=name --no-headers=true | grep "antrea\.tanzu\.vmware\.com" | xargs -r kubectl delete
-kubectl get mutatingwebhookconfigurations -o=name --no-headers=true | grep "antrea\.tanzu\.vmware\.com" | xargs -r kubectl delete
-kubectl get validatingwebhookconfigurations -o=name --no-headers=true | grep "antrea\.tanzu\.vmware\.com" | xargs -r kubectl delete
-```
+[^1]: The v1alpha2 version of the `ClusterGroup` CRD is no longer served by the
+      apiserver in v1.12 and is completely removed in v1.13.

multicluster/apis/multicluster/v1alpha2/clusterset_types.go

@@ -31,13 +31,6 @@ type LeaderClusterInfo struct {
 	// Name of the Secret resource in the member cluster, which stores
 	// the token to access the leader cluster's API server.
 	Secret string `json:"secret,omitempty"`
-	// ServiceAccount in the leader cluster, from which the member cluster's token
-	// is generated. This is an optional field which helps admin to check
-	// which ServiceAccount is used by a member cluster to access the leader cluster.
-	//
-	// DEPRECATED
-	// This field is planned to be removed in the future releases.
-	ServiceAccount string `json:"serviceAccount,omitempty"`
 }
 
 // ClusterSetSpec defines the desired state of ClusterSet.

pkg/agent/multicluster/mc_route_controller_test.go

@@ -63,7 +63,6 @@ func newMCDefaultRouteController(t *testing.T,
 	ciImportInformer := mcInformerFactory.Multicluster().V1alpha1().ClusterInfoImports()
 
 	multiclusterConfig := agent.MulticlusterConfig{
-		Enable:                       true,
 		EnableGateway:                true,
 		Namespace:                    "default",
 		EnableStretchedNetworkPolicy: true,

pkg/config/agent/config.go

@@ -98,8 +98,6 @@ type AgentConfig struct {
 	// --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
 	// No default value for this field.
 	ServiceCIDRv6 string `yaml:"serviceCIDRv6,omitempty"`
-	// Deprecated. Use TrafficEncryptionMode instead.
-	EnableIPSecTunnel bool `yaml:"enableIPSecTunnel,omitempty"`
 	// Determines how tunnel traffic is encrypted.
 	// It has the following options:
 	// - none (default): Inter-node Pod traffic will not be encrypted.
@@ -141,8 +139,6 @@ type AgentConfig struct {
 	ActiveFlowExportTimeout string `yaml:"activeFlowExportTimeout,omitempty"`
 	// Deprecated. Use the FlowExporter config options instead.
 	IdleFlowExportTimeout string `yaml:"idleFlowExportTimeout,omitempty"`
-	// Deprecated. Use the NodePortLocal config options instead.
-	NPLPortRange string `yaml:"nplPortRange,omitempty"`
 	// NodePortLocal (NPL) configuration options.
 	NodePortLocal NodePortLocalConfig `yaml:"nodePortLocal,omitempty"`
 	// FlowExporter configuration options.
@@ -176,10 +172,6 @@ type AgentConfig struct {
 	// 2. TransportInterfaceCIDRs
 	// 3. The Node IP
 	TransportInterfaceCIDRs []string `yaml:"transportInterfaceCIDRs,omitempty"`
-	// The names of the interfaces on Nodes that are used to forward multicast traffic.
-	// Defaults to transport interface if not set.
-	// Deprecated: use Multicast.MulticastInterfaces instead.
-	MulticastInterfaces []string `yaml:"multicastInterfaces,omitempty"`
 	// Multicast configuration options.
 	Multicast MulticastConfig `yaml:"multicast,omitempty"`
 	// AntreaProxy contains AntreaProxy related configuration options.
@@ -331,9 +323,6 @@ type IPsecConfig struct {
 }
 
 type MulticlusterConfig struct {
-	// Deprecated and replaced by "enableGateway". Keep the field in MulticlusterConfig to be
-	// compatible with earlier version (<= v1.10) Antrea deployment manifests.
-	Enable bool `yaml:"enable,omitempty"`
 	// Enable Multi-cluster Gateway.
 	EnableGateway bool `yaml:"enableGateway,omitempty"`
 	// The Namespace where Antrea Multi-cluster Controller is running.

pkg/config/controller/config.go

@@ -64,8 +64,6 @@ type ControllerConfig struct {
 	// ClientCAFile is the file path of the certificate bundle for all the signers that is recognized for incoming
 	// client certificates.
 	ClientCAFile string `yaml:"clientCAFile,omitempty"`
-	// Legacy CRD mirroring (deprecated).
-	LegacyCRDMirroring *bool `yaml:"legacyCRDMirroring,omitempty"`
 	// Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
 	// It is typically used when kube-proxy is not deployed (replaced by AntreaProxy) and kube-controller-manager
 	// does not run NodeIPAMController (replaced by Antrea NodeIPAM).