[Multicast] Add precheck on the encryption mode configurations #5920
Conversation
wenyingd
force-pushed
the
issue_5916
branch
4 times, most recently
from
a5fa0a8
to
e15be5a
Compare
|
/test-all |
@antoninbas For ipsec mode, antrea doesn't use flow based tunnel port (antrea-tun0), instead, antrea-agent would create one tunnel port per peer Node. For multicast, we have only design the flows to support antrea-tun0 by setting tun_dst in OpenFlow actions with encap mode. We have no logic to find the corresponding ipsec tunnel port with peer PodCIDR. |
That's right, thanks for reminding me. |
|
/test-e2e |
wenyingd
force-pushed
the
issue_5916
branch
2 times, most recently
from
d038817
to
44fde80
Compare
|
/test-all |
|
@antoninbas I updated antrea-ipsec.yml with its generator by disabling |
cmd/antrea-agent/options_test.go
Outdated
| assert.Equal(t, tt.expectedErr, err) | ||
| assert.Equal(t, tt.expectedVersions, o.igmpQueryVersions) | ||
| if err != nil { |
There was a problem hiding this comment.
instead of this, we usually use require to verify the error. This way the test stops early if the err value is not what we expect, and we "skip" subsequent assertions.
There was a problem hiding this comment.
In the test, we have designed both happy path and bad paths. This check is valid only with happy path (err is nil ). If we use assert.Require, it may only work with the happy cases.
There was a problem hiding this comment.
sorry I think I wasn't clear, I was just suggesting replacing assert.Equal(t, tt.expectedErr, err) with require.Equal(t, tt.expectedErr, err)
cmd/antrea-agent/options.go
Outdated
| @@ -320,9 +320,12 @@ func (o *Options) validateFlowExporterConfig() error { | |||
| return nil | |||
| } | |||
|
|
|||
| func (o *Options) validateMulticastConfig() error { | |||
| func (o *Options) validateMulticastConfig(encryptionMode config.TrafficEncryptionModeType) error { | |||
| if features.DefaultFeatureGate.Enabled(features.Multicast) { | |||
There was a problem hiding this comment.
looking at your latest code, we should actually add o.config.Multicast.Enable to the condition. Otherwise, this change is not user friendly at all: when installing Antrea (either using the manifest or the Helm chart), users will need to explicitly disable the Multicast FeatureGate. That should not be required. Instead, we should only return validation errors if WireGuard is enabled AND Multicast was explicitly enabled using the boolean toggle.
There was a problem hiding this comment.
Got it, will update.
wenyingd
force-pushed
the
issue_5916
branch
2 times, most recently
from
30b7b51
to
5f87266
Compare
|
/test-all |
cmd/antrea-agent/options_test.go
Outdated
| assert.Equal(t, tt.expectedErr, err) | ||
| assert.Equal(t, tt.expectedVersions, o.igmpQueryVersions) | ||
| if err != nil { |
There was a problem hiding this comment.
sorry I think I wasn't clear, I was just suggesting replacing assert.Equal(t, tt.expectedErr, err) with require.Equal(t, tt.expectedErr, err)
| @@ -45,16 +45,20 @@ func TestWireGuard(t *testing.T) { | |||
| skipIfMissingKernelModule(t, data, node.name, []string{"wireguard"}) | |||
| } | |||
| var previousTrafficEncryptionMode string | |||
| var previousMulticastEnabledState bool | |||
There was a problem hiding this comment.
ditto: changes to this file can be reverted?
There was a problem hiding this comment.
We may still need this change, otherwise, "E2e tests on a Kind cluster on Linux with all features enabled" may fail as Multicast was enabled before.
There was a problem hiding this comment.
Makes sense. It would have been nice to have a comment here explaining that enabling WireGuard requires disabling Multicast, but no big deal, I see that CI jobs have passed already
|
/test-all |
Mutlicast feature can't work with WireGuard or IPSec configurations with encap mode. It will return error when Multicast feature gate is enabled and either Wireguard or IPSec is configured in the initial validations. Signed-off-by: wenyingd <wenyingd@vmware.com>
|
/test-all |
2 similar comments
|
/test-all |
|
/test-all |
|
/test-all |
This is an e2e fix because of PR antrea-io#5920. Signed-off-by: Lan Luo <luola@vmware.com>
This is an e2e fix because of PR antrea-io#5920. Signed-off-by: Lan Luo <luola@vmware.com>
…ntrea-io#6264) This is an e2e fix because of PR antrea-io#5920. Signed-off-by: Lan Luo <luola@vmware.com>
…ntrea-io#6264) This is an e2e fix because of PR antrea-io#5920. Signed-off-by: Lan Luo <luola@vmware.com>
Mutlicast feature can't work with WireGuard or IPSec configurations with encap mode. It will return error when Multicast feature gate is enabled and either Wireguard or IPSec is configured in the initial validations.
Fix: #5916