Make externalIP proxying configurable for AntreaProxy

[antoninbas]

A new proxyExternalIPs configuration parameter is added for
AntreaProxy. When set to false, ntreaProxy no longer load-balances
traffic destined to the ExternalIPs of LoadBalancer Services. This is
useful when the external LoadBalancer provides additional capabilities
(e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic
to be sent to the external LoadBalancer instead of being load-balanced
to an Endpoint directly by AntreaProxy.

The default behavior is unchanged, i.e. proxyExternalIPs is true by
default.

Note that setting ProxyExternalIPs to false usually only makes sense
when ProxyAll is set to true and kube-proxy is removed from the cluser,
otherwise kube-proxy will still load-balance this traffic.

This feature cannot be leveraged by an external Load Balancer that
depends on the local proxy (AntreaProxy) being able to load balance
traffic destined to the ExternalIP. This is the case for example with
MetalLB. However Load Balancers that rely on NodePort / NodePortLocal
can leverage this feature.

Fixes #3121

Signed-off-by: Antonin Bas abas@vmware.com

[codecov-commenter]

Codecov Report

Merging #3130 (93cf9bd) into main (43d2ee9) will decrease coverage by 6.62%.
The diff coverage is 68.96%.

@@            Coverage Diff             @@
##             main    #3130      +/-   ##
==========================================
- Coverage   58.28%   51.65%   -6.63%     
==========================================
  Files         297      297              
  Lines       25308    25311       +3     
==========================================
- Hits        14750    13075    -1675     
- Misses       8965    10757    +1792     
+ Partials     1593     1479     -114     

Flag	Coverage Δ
kind-e2e-tests	30.82% <55.17%> (-13.46%)	⬇️
unit-tests	40.32% <62.06%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/proxy/proxier.go	56.75% <68.96%> (-0.69%)	⬇️
pkg/controller/types/networkpolicy.go	0.00% <0.00%> (-100.00%)	⬇️
pkg/agent/controller/networkpolicy/reject.go	0.00% <0.00%> (-84.68%)	⬇️
pkg/apis/controlplane/v1beta2/helper.go	33.33% <0.00%> (-66.67%)	⬇️
...formers/externalversions/security/v1alpha1/tier.go	0.00% <0.00%> (-64.29%)	⬇️
...ers/externalversions/core/v1alpha2/clustergroup.go	0.00% <0.00%> (-64.29%)	⬇️
...s/externalversions/core/v1alpha2/externalentity.go	0.00% <0.00%> (-64.29%)	⬇️
...xternalversions/security/v1alpha1/networkpolicy.go	0.00% <0.00%> (-64.29%)	⬇️
...versions/security/v1alpha1/clusternetworkpolicy.go	0.00% <0.00%> (-64.29%)	⬇️
pkg/controller/networkpolicy/mutate.go	0.00% <0.00%> (-62.07%)	⬇️
... and 85 more

[jianjuns]

LGTM.

In commit message, ntreaProxy -> AntreaProxy.

[tnqn]

I just found when we talked about externalIP, we actually referred to loadbalancerIPs, while there is another field in Service's Spec called ExternalIPs, which Antrea doesn't proxy at the moment but kube-proxy does. We may need to support it in the future. I don't think we need to have a toggle for it as the spec says "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service". But to avoid confusion, should we call the configuration for loadbalancer IPs proxyLoadBalancerIPs?

[antoninbas]

I actually opened an issue a while back about supporting ExternalIPs for ClusterIP Services: #1627

Originally I thought that the proxyExternalIPs configuration would eventually apply to both (LoadBalancerIPs and ExternalIPs) but thinking about it some more I don't think it makes sense. I'll work on renaming the configuration parameter as you suggested.

[hongliangl]

My concern is that: for externalTrafficPolicy of a LoadBalancer Service is Cluster, which means the source IP address of client should be reserved, for the connection whose source is a Pod, and destination is a ExternalIP(Pod-to-ExternalIP traffic mode). I'm a little confused about how the reply packets go back to external LB to guarantee the symmetry of for a connection.

• Request packet path: Pod -> Antrea gateway -> external LB -> Antrea gateway -> Endpoint
• Reply packet path: Endpoint -> Antrea gateway(without SNAT, I think the reply packet will be routed to the Pod since the source IP address of the client is reserved).

[antoninbas]

for externalTrafficPolicy of a LoadBalancer Service is Cluster, which means the source IP address of client should be reserved

Do you mean when externalTrafficPolicy is Local, in which case the IP is preserved?

The external Load Balancer must SNAT the traffic, which is typically the case or can be configured (for AVI for example it is the default), in order for the reply traffic to go back through the external LB. That applies regardless of the externalTrafficPolicy.

[jianjuns]

Probably @hongliangl means the case LB does not SNAT, e.g. LB is inline and embedded in the gateway? That is quite uncommon though.

[hongliangl]

The external Load Balancer must SNAT the traffic, which is typically the case or can be configured (for AVI for example it is the default), in order for the reply traffic to go back through the external LB. That applies regardless of the externalTrafficPolicy.

If SNAT is performed regardless of the externalTrafficPolicy, it makes sense.

[tnqn]

LGTM

[tnqn]

LGTM

[tnqn]

/test-all

[tnqn]

/skip-all
I have ran all required checks manually, "ACNPFQDNPolicy" and "TestFlowAggregator' failed but not related to this PR.

[tnqn]

/skip-all