Merge branch 'antrea-io:main' into antrea-secondary-network-test-sep22

antrea-io · Dec 7, 2022 · 0cbbe9b · 0cbbe9b
2 parents fcf62ed + 567137c
commit 0cbbe9b
Show file tree

Hide file tree

Showing 367 changed files with 32,005 additions and 6,070 deletions.
diff --git a/.github/workflows/cancel_workflows.yml b/.github/workflows/cancel_workflows.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.event == 'pull_request' }}
     steps:
-    - uses: styfle/cancel-workflow-action@0.10.0
+    - uses: styfle/cancel-workflow-action@0.11.0
       with:
         all_but_latest: true
         workflow_id: ${{ github.event.workflow.id }}
diff --git a/.github/workflows/docker_update_base_windows.yml b/.github/workflows/docker_update_base_windows.yml
@@ -35,12 +35,12 @@ jobs:
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}
     - name: Build and push Docker images
-      if: ${{ github.event.inputs.push == "true" }}
+      if: ${{ github.event.inputs.push }}
       run: |
         ./hack/build-antrea-windows-all.sh --pull --push-base-images
       shell: bash
     - name: Build Docker images without pushing
-      if: ${{ github.event.inputs.push == "false" }}
+      if: ${{ !github.event.inputs.push }}
       run: |
         ./hack/build-antrea-windows-all.sh --pull
       shell: bash
diff --git a/.github/workflows/kind.yml b/.github/workflows/kind.yml
@@ -679,12 +679,12 @@ jobs:
     steps:
     - name: Delete antrea-ubuntu-cov
       if: ${{ needs.build-antrea-coverage-image.result == 'success' }}
-      uses: geekyeggo/delete-artifact@v1
+      uses: geekyeggo/delete-artifact@v2
       with:
         name: antrea-ubuntu-cov
     - name: Delete flow-aggregator
       if: ${{ needs.build-flow-aggregator-coverage-image.result == 'success' }}
-      uses: geekyeggo/delete-artifact@v1
+      uses: geekyeggo/delete-artifact@v2
       with:
         name: flow-aggregator-cov
         failOnError: false
diff --git a/.github/workflows/process_release.yml b/.github/workflows/process_release.yml
@@ -218,13 +218,40 @@ jobs:
         asset_path: ./assets/antrea-multicluster-member.yml
         asset_name: antrea-multicluster-member.yml
         asset_content_type: application/octet-stream
+    - name: Upload antrea-agent-linux-x86_64
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./assets/antrea-agent-linux-x86_64
+        asset_name: antrea-agent-linux-x86_64
+        asset_content_type: application/octet-stream
+    - name: Upload antrea-agent-linux-arm64
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./assets/antrea-agent-linux-arm64
+        asset_name: antrea-agent-linux-arm64
+        asset_content_type: application/octet-stream
+    - name: Upload antrea-agent-linux-arm
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./assets/antrea-agent-linux-arm
+        asset_name: antrea-agent-linux-arm
+        asset_content_type: application/octet-stream
     - name: Upload antrea-agent-windows-x86_64.exe
       uses: actions/upload-release-asset@v1
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
         upload_url: ${{ github.event.release.upload_url }}
-        asset_path: ./assets/antrea-agent.exe
+        asset_path: ./assets/antrea-agent-windows-x86_64.exe
         asset_name: antrea-agent-windows-x86_64.exe
         asset_content_type: application/octet-stream
     - name: Upload antrea-cni-windows-x86_64.exe
@@ -233,7 +260,7 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
         upload_url: ${{ github.event.release.upload_url }}
-        asset_path: ./assets/antrea-cni.exe
+        asset_path: ./assets/antrea-cni-windows-x86_64.exe
         asset_name: antrea-cni-windows-x86_64.exe
         asset_content_type: application/octet-stream
     - name: Upload Start-AntreaAgent.ps1
@@ -263,6 +290,24 @@ jobs:
         asset_path: ./assets/flow-aggregator-chart.tgz
         asset_name: flow-aggregator-chart.tgz
         asset_content_type: application/octet-stream
+    - name: Upload install-vm.sh
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./assets/install-vm.sh
+        asset_name: install-vm.sh
+        asset_content_type: application/octet-stream
+    - name: Upload install-vm.ps1
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./assets/install-vm.ps1
+        asset_name: install-vm.ps1
+        asset_content_type: application/octet-stream
 
   update-website:
     name: Trigger website update for release

diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,7 @@ bin
 .cache
 .golangci-bin
 .coverage/
+.trivy-bin
 
 .DS_Store
 

diff --git a/.golangci.yml b/.golangci.yml
@@ -13,20 +13,20 @@ linters-settings:
     ignore-generated-header: false
     severity: warning
     confidence: 0.8
-    # errorf, var-declaration temporarily disabled because of https://github.com/golangci/golangci-lint/issues/2997
     rules:
       - name: unreachable-code
-      # - name: errorf
+      - name: errorf
       - name: range
       - name: superfluous-else
-      # - name: var-declaration
+      - name: var-declaration
+      - name: duplicated-imports
 
 linters:
   disable-all: true
   enable:
     - misspell
     - gofmt
-    - deadcode
+    - unused
     - staticcheck
     - gosec
     - goimports

diff --git a/CHANGELOG/CHANGELOG-1.9.md b/CHANGELOG/CHANGELOG-1.9.md
@@ -0,0 +1,73 @@
+# Changelog 1.9
+
+## 1.9.0 - 2022-10-21
+
+### Added
+
+- Add the following capabilities to the Multi-cluster feature:
+  * Add support for Pod-to-Pod connectivity across clusters. ([#4219](https://github.com/antrea-io/antrea/pull/4219), [@hjiajing])
+  * Add active-passive mode high availability support for Gateway Nodes. ([#4069](https://github.com/antrea-io/antrea/pull/4069), [@luolanzone])
+  * Allow Pod IPs as Endpoints of Multi-cluster Service; option `endpointIPType` is added to the Multi-cluster Controller ConfigMap to specify the Service Endpoints type. ([#4198](https://github.com/antrea-io/antrea/pull/4198), [@luolanzone])
+  * Add `antctl mc get joinconfig` command to print ClusterSet join parameters. ([#4299](https://github.com/antrea-io/antrea/pull/4299), [@jianjuns])
+  * Add `antctl mc get|delete membertoken` commands to get/delete member token. ([#4254](https://github.com/antrea-io/antrea/pull/4254), [@bangqipropel])
+- Add rule name to Audit Logging for Antrea-native policies. ([#4178](https://github.com/antrea-io/antrea/pull/4178), [@qiyueyao])
+- Add Service health check similar to kube-proxy in antrea-agent; it provides HTTP endpoints "<nodeIP>:<healthCheckNodePort>/healthz" for querying number of local Endpoints of a Service. ([#4120](https://github.com/antrea-io/antrea/pull/4120), [@shettyg])
+- Add S3Uploader as a new exporter of Flow Aggregator, which periodically exports expired flow records to AWS S3 storage bucket. ([#4143](https://github.com/antrea-io/antrea/pull/4143), [@heanlan])
+- Add scripts and binaries needed for running Antrea on non-Kubernetes Nodes (ExternalNode) in release assets. ([#4266](https://github.com/antrea-io/antrea/pull/4266) [#4113](https://github.com/antrea-io/antrea/pull/4113), [@antoninbas] [@Anandkumar26])
+
+### Changed
+
+- AntreaProxy now supports more than 800 Endpoints for a Service. ([#4167](https://github.com/antrea-io/antrea/pull/4167), [@hongliangl])
+- Add OVS connection check to Agent's liveness probes for self-healing on OVS disconnection. ([#4126](https://github.com/antrea-io/antrea/pull/4126), [@tnqn])
+- antrea-agent startup scripts now perform cleanup automatically on non-Kubernetes Nodes (ExternalNode) upon Node restart. ([#4277](https://github.com/antrea-io/antrea/pull/4277), [@Anandkumar26])
+- Make tunnel csum option configurable and default to false which avoids double encapsulation checksum issues on some platforms. ([#4250](https://github.com/antrea-io/antrea/pull/4250), [@tnqn])
+- Use standard value type for k8s.v1.cni.cncf.io/networks annotation for the SecondaryNetwork feature. ([#4146](https://github.com/antrea-io/antrea/pull/4146), [@antoninbas])
+- Update Go to v1.19. ([#4106](https://github.com/antrea-io/antrea/pull/4106), [@antoninbas])
+- Add API support for reporting Antrea NetworkPolicy realization failure. ([#4248](https://github.com/antrea-io/antrea/pull/4248), [@wenyingd])
+- Update ResourceExport's json tag to lowerCamelCase. ([#4211](https://github.com/antrea-io/antrea/pull/4211), [@luolanzone])
+- Add clusterUUID column to S3 uploader and ClickHouseExporter to support multiple clusters in the same data warehouse. ([#4214](https://github.com/antrea-io/antrea/pull/4214), [@heanlan])
+
+### Fixed
+
+- Fix nil pointer error when collecting support bundle from Agent fails. ([#4306](https://github.com/antrea-io/antrea/pull/4306), [@tnqn])
+- Set no-flood config for TrafficControl ports after restarting Agent to prevent ARP packet loops. ([#4318](https://github.com/antrea-io/antrea/pull/4318), [@hongliangl])
+- Fix packet resubmission issue when AntreaProxy is enabled and AntreaPolicy is disable. ([#4261](https://github.com/antrea-io/antrea/pull/4261), [@GraysonWu])
+- Fix ownerReferences in APIExternalEntities generated from ExternalNodes. ([#4259](https://github.com/antrea-io/antrea/pull/4259), [@wenyingd])
+- Fix the issue that "MulticastGroup" API returned wrong Pods that have joined multicast groups. ([#4240](https://github.com/antrea-io/antrea/pull/4240), [@ceclinux])
+- Fix inappropriate route for IPv6 ClusterIPs in the host network when proxyAll is enabled. ([#4297](https://github.com/antrea-io/antrea/pull/4297), [@tnqn])
+- Fix log spam when there is any DNS based LoadBalancer Service. ([#4234](https://github.com/antrea-io/antrea/pull/4234), [@tnqn])
+- Remove multicast group from cache when group is uninstalled. ([#4176](https://github.com/antrea-io/antrea/pull/4176), [@wenyingd])
+- Remove redundant Openflow messages when syncing an updated group to OVS. ([#4160](https://github.com/antrea-io/antrea/pull/4160), [@hongliangl])
+- Fix nil pointer error when there is no ClusterSet found during MemberClusterAnnounce validation. ([#4154](https://github.com/antrea-io/antrea/pull/4154), [@luolanzone])
+- Fix data race when Multi-cluster controller reconciles ServiceExports concurrently. ([#4305](https://github.com/antrea-io/antrea/pull/4305), [@Dyanngg])
+- Fix memory leak in Multi-cluster resource import controllers. ([#4251](https://github.com/antrea-io/antrea/pull/4251), [@Dyanngg])
+- Fix Antrea-native policies for multicast traffic matching IGMP traffic unexpectedly. ([#4206](https://github.com/antrea-io/antrea/pull/4206), [@liu4480])
+- Fix IPsec not working in UBI-based image. ([#4244](https://github.com/antrea-io/antrea/pull/4244), [@xliuxu])
+- Fix `antctl mc get clusterset` command output when a ClusterSet's status is empty. ([#4174](https://github.com/antrea-io/antrea/pull/4174), [@luolanzone])
+
+
+[@Anandkumar26]: https://github.com/Anandkumar26
+[@Dyanngg]: https://github.com/Dyanngg
+[@GraysonWu]: https://github.com/GraysonWu
+[@XinShuYang]: https://github.com/XinShuYang
+[@antoninbas]: https://github.com/antoninbas
+[@antrea-bot]: https://github.com/antrea-bot
+[@arunvelayutham]: https://github.com/arunvelayutham
+[@bangqipropel]: https://github.com/bangqipropel
+[@ceclinux]: https://github.com/ceclinux
+[@dependabot]: https://github.com/dependabot
+[@heanlan]: https://github.com/heanlan
+[@hjiajing]: https://github.com/hjiajing
+[@hongliangl]: https://github.com/hongliangl
+[@jainpulkit22]: https://github.com/jainpulkit22
+[@jianjuns]: https://github.com/jianjuns
+[@liu4480]: https://github.com/liu4480
+[@luolanzone]: https://github.com/luolanzone
+[@qiyueyao]: https://github.com/qiyueyao
+[@shettyg]: https://github.com/shettyg
+[@tnqn]: https://github.com/tnqn
+[@wenqiq]: https://github.com/wenqiq
+[@wenyingd]: https://github.com/wenyingd
+[@xliuxu]: https://github.com/xliuxu
+[@yanjunz97]: https://github.com/yanjunz97
+[@yuntanghsu]: https://github.com/yuntanghsu
diff --git a/CHANGELOG/README.md b/CHANGELOG/README.md
@@ -10,6 +10,7 @@ stages](https://github.com/kubernetes/community/blob/master/contributors/devel/s
 Some experimental features can be enabled / disabled using [Feature
 Gates](../docs/feature-gates.md).
 
+- [CHANGELOG-1.9](CHANGELOG-1.9.md)
 - [CHANGELOG-1.8](CHANGELOG-1.8.md)
 - [CHANGELOG-1.7](CHANGELOG-1.7.md)
 - [CHANGELOG-1.6](CHANGELOG-1.6.md)

diff --git a/Makefile b/Makefile
@@ -14,6 +14,8 @@ CNI_BINARIES_VERSION := $(shell head -n 1 build/images/deps/cni-binaries-version
 NANOSERVER_VERSION := $(shell head -n 1 build/images/deps/nanoserver-version)
 WIN_BUILD_TAG      := $(shell echo $(GO_VERSION) $(CNI_BINARIES_VERSION) $(NANOSERVER_VERSION)|md5sum|head -c 10)
 GIT_HOOKS := $(shell find hack/git_client_side_hooks -type f -print)
+DOCKER_NETWORK     ?= default
+TRIVY_TARGET_IMAGE ?=
 
 DOCKER_BUILD_ARGS = --build-arg OVS_VERSION=$(OVS_VERSION)
 DOCKER_BUILD_ARGS += --build-arg GO_VERSION=$(GO_VERSION)
@@ -49,11 +51,26 @@ bin:
 	@mkdir -p $(BINDIR)
 	GOOS=linux $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/...
 
+.trivy-bin:
+	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b $@ v0.34.0
+
+check-%:
+	@: $(if $(value $*),,$(error $* is undefined))
+
+.PHONY: trivy-scan
+trivy-scan: .trivy-bin check-TRIVY_TARGET_IMAGE
+	$(CURDIR)/.trivy-bin/trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed $(TRIVY_TARGET_IMAGE)
+
 .PHONY: antrea-agent
 antrea-agent:
 	@mkdir -p $(BINDIR)
 	GOOS=linux $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-agent
 
+.PHONY: antrea-agent-release
+antrea-agent-release:
+	@mkdir -p $(BINDIR)
+	@CGO_ENABLED=0 $(GO) build -o $(BINDIR)/$(ANTREA_AGENT_BINARY_NAME) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-agent
+
 .PHONY: antrea-agent-simulator
 antrea-agent-simulator:
 	@mkdir -p $(BINDIR)
@@ -85,14 +102,18 @@ antrea-cni:
 	@mkdir -p $(BINDIR)
 	GOOS=linux CGO_ENABLED=0 $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-cni
 
+.PHONY: antrea-cni
+antrea-cni-release:
+	@mkdir -p $(BINDIR)
+	@CGO_ENABLED=0 $(GO) build -o $(BINDIR)/$(ANTREA_CNI_BINARY_NAME) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antrea-cni
+
 .PHONY: antctl-instr-binary
 antctl-instr-binary:
 	@mkdir -p $(BINDIR)
 	GOOS=linux $(GO) test -tags testbincover -covermode count -coverpkg=antrea.io/antrea/pkg/... -c -o $(BINDIR)/antctl-coverage $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/antrea/cmd/antctl
 
 # diable cgo for antrea-cni and antrea-agent: antrea-cni is meant to be
-# installed on the host and the antrea-agent is run as a process on Windows
-# hosts (we also distribute it as a release binary).
+# installed on the host and the antrea-agent is run as a process on Windows.
 .PHONY: windows-bin
 windows-bin:
 	@mkdir -p $(BINDIR)
@@ -206,7 +227,7 @@ antctl: $(ANTCTL_BINARIES)
 
 .PHONY: antctl-release
 antctl-release:
-	@$(GO) build -o $(BINDIR)/$(ANTCTL_BINARY_NAME) $(GOFLAGS) -ldflags '-s -w $(LDFLAGS)' antrea.io/antrea/cmd/antctl
+	@CGO_ENABLED=0 $(GO) build -o $(BINDIR)/$(ANTCTL_BINARY_NAME) $(GOFLAGS) -ldflags '-s -w $(LDFLAGS)' antrea.io/antrea/cmd/antctl
 
 .PHONY: check-copyright
 check-copyright: 
@@ -261,7 +282,7 @@ fmt:
 
 .golangci-bin:
 	@echo "===> Installing Golangci-lint <==="
-	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $@ v1.48.0
+	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $@ v1.50.0
 
 .PHONY: golangci
 golangci: .golangci-bin
@@ -291,6 +312,7 @@ clean:
 	@rm -rf $(DOCKER_CACHE)
 	@rm -rf .golangci-bin
 	@rm -rf .coverage
+	@rm -rf .trivy-bin
 
 .PHONY: codegen
 codegen:
@@ -339,11 +361,10 @@ endif
 .PHONY: build-windows
 build-windows:
 	@echo "===> Building Antrea bins and antrea/antrea-windows Docker image <==="
-	docker build --cache-from antrea/base-windows:$(WIN_BUILD_TAG) -t antrea/base-windows:$(WIN_BUILD_TAG) -f build/images/base-windows/Dockerfile $(WIN_BUILD_ARGS) .
 ifneq ($(NO_PULL),)
-	docker build -t antrea/antrea-windows:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.windows $(WIN_BUILD_ARGS) .
+	docker build -t antrea/antrea-windows:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.windows --network $(DOCKER_NETWORK) $(WIN_BUILD_ARGS) .
 else
-	docker build --pull -t antrea/antrea-windows:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.windows $(WIN_BUILD_ARGS) .
+	docker build --pull -t antrea/antrea-windows:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.build.windows --network $(DOCKER_NETWORK) $(WIN_BUILD_ARGS) .
 endif
 	docker tag antrea/antrea-windows:$(DOCKER_IMG_VERSION) antrea/antrea-windows
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v1.9.0-dev
+v1.10.0-dev
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -1,6 +1,6 @@
 # antrea
 
-![Version: 1.9.0-dev](https://img.shields.io/badge/Version-1.9.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 1.10.0-dev](https://img.shields.io/badge/Version-1.10.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 Kubernetes networking based on Open vSwitch
 
@@ -107,6 +107,7 @@ Kubernetes: `>= 1.16.0-0`
 | trafficEncryptionMode | string | `"none"` | Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode.It must be one of "none", "ipsec", "wireGuard". |
 | transportInterface | string | `""` | Name of the interface on Node which is used for tunneling or routing the traffic across Nodes. |
 | transportInterfaceCIDRs | list | `[]` | Network CIDRs of the interface on Node which is used for tunneling or routing the traffic across Nodes. |
+| tunnelCsum | bool | `false` | TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing packets. For Linux kernel before Mar 2021, UDP checksum must be present to trigger GRO on the receiver for better performance of Geneve and VXLAN tunnels. The issue has been fixed by https://github.com/torvalds/linux/commit/89e5c58fc1e2857ccdaae506fb8bc5fed57ee063, thus computing UDP checksum is no longer necessary. It should only be set to true when you are using an unpatched Linux kernel and observing poor transfer performance. |
 | tunnelPort | int | `0` | TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT). If zero, it will use the assigned IANA port for the protocol, i.e. 6081 for Geneve, 4789 for VXLAN, and 7471 for STT. |
 | tunnelType | string | `"geneve"` | Tunnel protocol used for encapsulating traffic across Nodes. It must be one of "geneve", "vxlan", "gre", "stt". |
 | webhooks.labelsMutator.enable | bool | `false` |  |