Enable Calico-Felix for Windows

[nwoodmsft]

Description

This change enables Calico-Felix to be compiled and run on Windows (policy-only). There are three main work items being covered in this change:

• Makefile is updated to support cross-compiling a Calico-Felix binary for Windows (bin/calico-felix.exe)
• To enable compilation to succeed for Windows, there is some minor refactoring of functions/blocks (mainly from felix.go) into seperate source files with build constraints.
• A Windows dataplane driver has been added. This provides the ability to program policies into the Windows dataplane via the Host Network Service (HNS).

Todos

• Unit tests (full coverage)
• Integration tests (delete as appropriate) In plan
• Documentation (Windows deployment guidance is in-review)
• Backport
• Release note

Release Note

Enabled Calico-Felix to be compiled and run on Windows (policy-only)

[CLAassistant]

All committers have signed the CLA.

[fasaxc]

Thanks @nwoodmsft. The code generally looks in good shape and it's easy to follow. Most of the issues I spotted were to do with changes that have gone into master since you took your fork:

• we now have a named port IP set type; for this PR, I propose that you add that to your list of match types to log and skip
• we added health check support to Felix so it'd be good to plumb that through into the windows driver

I think I spotted a bug in the rule conversion when there are multiple IP sets to match.

The rest are suggested cleanups; I think it should be pretty trivial to avoid duplicating code in logutils for example. I'd also like to get to the bottom of the set.go issue but that doesn't need to block the merge if it's unreasonably tricky.

I wonder if we should update the README to mention the Windows support and make sure people understand what is and isn't supported.

[fasaxc]

I think you might need to process IPSetUpdate here too. I think it might be possible in some corner cases for the calc graph to send an IPSetUpdate then a second IPSetUpdate rather than sending deltas.

[nwoodmsft]

Thanks. I hadn't seen a case (in testing) where updates came through as a IPSetUpdate instead of a IPSetDeltaUpdate, so I thought it was safe to have endpoint manager just react to the Deltas. If there are cases where IPSetUpdate might be generated instead, then we definitely need to handle this here. Added.

[fasaxc]

I don't think you need this lock, unless I missed somethingOnUpdate and CompleteDeferredWork are both called from the same goroutine (the dataplane driver's main loop).

[nwoodmsft]

Agreed, will remove. I think there was a case in an earlier iteration of the code where we thought we needed this to be on the safe side, but it doesn't look like it's needed now.

[fasaxc]

You should namespace policy/profile names; you could get a profile and a policy with the same name.

[nwoodmsft]

Good catch, i'll take a look.

[fasaxc]

If there could be many rules here, might be worth wrapping this in a conditional: if log.GetLevel() >= log.DebugLevel {...

[nwoodmsft]

Done.

[fasaxc]

Think you may need to namespace the profiles/policies by type to avoid clashes.

[fasaxc]

Please can you port across the health reporting function. Think we added that after you took your fork. Should just be a matter of starting an extra ticker and calling HealthAggregator.Report(...). Felix now has a health endpoint for Kubernetes to poll.

[nwoodmsft]

Done

[fasaxc]

Please can you pull out the shared function into a shared file? I think that'd be pretty easy to do for this module.

I think you could:

• pull out a function configureSyslog that is implemented on Linux, but stubbed on Windows
• pull out a function openLogFile that is implemented differently on each
• share everything else

[nwoodmsft]

Ok will take a look

[fasaxc]

Please can you pin these to a version or a specific revision? We've found that glide can resolve floating dependencies differently depending on the state of its cache configuration so we've taken to pinning all our immediate dependencies.

[nwoodmsft]

Yes, will do.

[fasaxc]

master has some new negated matches to consider for named ports.

[nwoodmsft]

Ok for now I've added NotSrcNamedPortIpSetIds and NotDstNamedPortIpSetIds to this list.

[fasaxc]

Please can you move this to a utility package (maybe put it in the proto package along with the protobuf definitions?) That'd let us share it between the two implementations.

[nwoodmsft]

Yes, makes sense to share this code. Done.

[fasaxc]

@nwoodmsft Please can you resolve conflicts? To resolve the glide.lock, it should just be a matter of merging glide.yaml and then re-running make update-vendor.

Resolving the glide conflict should fix the Typha pin issue picked up by Semaphore.

[fasaxc]

LGTM