remove EnabelTLSConfig from antrea agent (#2193)

build/yamls/antrea-aks.yml

@@ -3617,9 +3617,10 @@ data:
     # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
     # However, IPv6 address should be wrapped with [].
     # If PORT is empty, we default to 4739, the standard IPFIX port.
-    # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
-    # L4 transport protocols.
-    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp"
+    # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+    # "udp" protocols. "tls" is used for securing communication between flow exporter and
+    # flow aggregator.
+    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -3640,9 +3641,6 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Enable TLS communication from flow exporter to flow aggregator.
-    #enableTLSToFlowAggregator: true
-
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
     # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
     # and all Node traffic directed to that port will be forwarded to the Pod.
@@ -3742,7 +3740,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-kt9gdmf62t
+  name: antrea-config-t9hc8tf75d
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3862,7 +3860,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-kt9gdmf62t
+          name: antrea-config-t9hc8tf75d
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4173,7 +4171,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-kt9gdmf62t
+          name: antrea-config-t9hc8tf75d
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -3617,9 +3617,10 @@ data:
     # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
     # However, IPv6 address should be wrapped with [].
     # If PORT is empty, we default to 4739, the standard IPFIX port.
-    # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
-    # L4 transport protocols.
-    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp"
+    # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+    # "udp" protocols. "tls" is used for securing communication between flow exporter and
+    # flow aggregator.
+    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -3640,9 +3641,6 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Enable TLS communication from flow exporter to flow aggregator.
-    #enableTLSToFlowAggregator: true
-
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
     # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
     # and all Node traffic directed to that port will be forwarded to the Pod.
@@ -3742,7 +3740,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-kt9gdmf62t
+  name: antrea-config-t9hc8tf75d
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3862,7 +3860,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-kt9gdmf62t
+          name: antrea-config-t9hc8tf75d
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4175,7 +4173,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-kt9gdmf62t
+          name: antrea-config-t9hc8tf75d
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -3617,9 +3617,10 @@ data:
     # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
     # However, IPv6 address should be wrapped with [].
     # If PORT is empty, we default to 4739, the standard IPFIX port.
-    # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
-    # L4 transport protocols.
-    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp"
+    # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+    # "udp" protocols. "tls" is used for securing communication between flow exporter and
+    # flow aggregator.
+    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -3640,9 +3641,6 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Enable TLS communication from flow exporter to flow aggregator.
-    #enableTLSToFlowAggregator: true
-
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
     # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
     # and all Node traffic directed to that port will be forwarded to the Pod.
@@ -3742,7 +3740,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-c8bf7gddbb
+  name: antrea-config-9g829tktd6
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3862,7 +3860,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-c8bf7gddbb
+          name: antrea-config-9g829tktd6
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4176,7 +4174,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-c8bf7gddbb
+          name: antrea-config-9g829tktd6
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -3622,9 +3622,10 @@ data:
     # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
     # However, IPv6 address should be wrapped with [].
     # If PORT is empty, we default to 4739, the standard IPFIX port.
-    # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
-    # L4 transport protocols.
-    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp"
+    # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+    # "udp" protocols. "tls" is used for securing communication between flow exporter and
+    # flow aggregator.
+    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -3645,9 +3646,6 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Enable TLS communication from flow exporter to flow aggregator.
-    #enableTLSToFlowAggregator: true
-
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
     # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
     # and all Node traffic directed to that port will be forwarded to the Pod.
@@ -3747,7 +3745,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-dh7f7g969b
+  name: antrea-config-h5kbhh859d
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3876,7 +3874,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-dh7f7g969b
+          name: antrea-config-h5kbhh859d
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4222,7 +4220,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-dh7f7g969b
+          name: antrea-config-h5kbhh859d
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-windows.yml

@@ -60,9 +60,10 @@ data:
     # HOST can only be IP right now because there is a DNS resolution issue in current Windows support.
     # IP can be either IPv4 or IPv6. However, IPv6 address should be wrapped with [].
     # If PORT is empty, we default to 4739, the standard IPFIX port.
-    # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
-    # L4 transport protocols.
-    #flowCollectorAddr: ""
+    # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+    # "udp" protocols. "tls" is used for securing communication between flow exporter and
+    # flow aggregator.
+    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -103,7 +104,7 @@ kind: ConfigMap
 metadata:
   labels:
     app: antrea
-  name: antrea-windows-config-cm7h2cd86m
+  name: antrea-windows-config-6cmd972m6b
   namespace: kube-system
 ---
 apiVersion: apps/v1
@@ -191,7 +192,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-windows-config-cm7h2cd86m
+          name: antrea-windows-config-6cmd972m6b
         name: antrea-windows-config
       - configMap:
           defaultMode: 420

build/yamls/antrea.yml

@@ -3622,9 +3622,10 @@ data:
     # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
     # However, IPv6 address should be wrapped with [].
     # If PORT is empty, we default to 4739, the standard IPFIX port.
-    # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
-    # L4 transport protocols.
-    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp"
+    # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+    # "udp" protocols. "tls" is used for securing communication between flow exporter and
+    # flow aggregator.
+    #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
 
     # Provide flow poll interval as a duration string. This determines how often the
     # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -3645,9 +3646,6 @@ data:
     # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
     #idleFlowExportTimeout: "15s"
 
-    # Enable TLS communication from flow exporter to flow aggregator.
-    #enableTLSToFlowAggregator: true
-
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
     # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
     # and all Node traffic directed to that port will be forwarded to the Pod.
@@ -3747,7 +3745,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-42cft4gc5f
+  name: antrea-config-cbfh568k9m
   namespace: kube-system
 ---
 apiVersion: v1
@@ -3867,7 +3865,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-42cft4gc5f
+          name: antrea-config-cbfh568k9m
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4178,7 +4176,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-42cft4gc5f
+          name: antrea-config-cbfh568k9m
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-agent.conf

@@ -106,9 +106,10 @@ featureGates:
 # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
 # However, IPv6 address should be wrapped with [].
 # If PORT is empty, we default to 4739, the standard IPFIX port.
-# If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
-# L4 transport protocols.
-#flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp"
+# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+# "udp" protocols. "tls" is used for securing communication between flow exporter and
+# flow aggregator.
+#flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
 
 # Provide flow poll interval as a duration string. This determines how often the
 # flow exporter dumps connections from the conntrack module. Flow poll interval
@@ -129,9 +130,6 @@ featureGates:
 # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
 #idleFlowExportTimeout: "15s"
 
-# Enable TLS communication from flow exporter to flow aggregator.
-#enableTLSToFlowAggregator: true
-
 # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
 # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
 # and all Node traffic directed to that port will be forwarded to the Pod.

build/yamls/windows/base/conf/antrea-agent.conf

@@ -42,9 +42,10 @@ featureGates:
 # HOST can only be IP right now because there is a DNS resolution issue in current Windows support.
 # IP can be either IPv4 or IPv6. However, IPv6 address should be wrapped with [].
 # If PORT is empty, we default to 4739, the standard IPFIX port.
-# If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
-# L4 transport protocols.
-#flowCollectorAddr: ""
+# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
+# "udp" protocols. "tls" is used for securing communication between flow exporter and
+# flow aggregator.
+#flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls"
 
 # Provide flow poll interval as a duration string. This determines how often the
 # flow exporter dumps connections from the conntrack module. Flow poll interval

ci/test-elk-flow-collector.sh

@@ -77,7 +77,6 @@ config_antrea() {
   echo "=== Configuring Antrea Flow Exporter Address ==="
   sed -i -e "s/#flowCollectorAddr.*/flowCollectorAddr: \"${LOGSTASH_IP}:${LOGSTASH_PORT}:${LOGSTASH_PROTOCOL}\"/g" ${GIT_CHECKOUT_DIR}/build/yamls/antrea.yml
   sed -i -e "s/#  FlowExporter: false/  FlowExporter: true/g" ${GIT_CHECKOUT_DIR}/build/yamls/antrea.yml
-  sed -i -e "s/#enableTLSToFlowAggregator: true/enableTLSToFlowAggregator: false/g" ${GIT_CHECKOUT_DIR}/build/yamls/antrea.yml
 }
 
 # Antrea agent flow exporter starts to send CoreDNS flow records.

cmd/antrea-agent/agent.go

@@ -375,7 +375,6 @@ func run(o *Options) error {
 			o.flowCollectorProto,
 			o.activeFlowTimeout,
 			o.idleFlowTimeout,
-			o.config.EnableTLSToFlowAggregator,
 			v4Enabled,
 			v6Enabled,
 			k8sClient,

cmd/antrea-agent/config.go

@@ -132,9 +132,6 @@ type AgentConfig struct {
 	// Defaults to "15s". Valid time units are "ns", "us" (or "µs"), "ms", "s",
 	// "m", "h".
 	IdleFlowExportTimeout string `yaml:"idleFlowExportTimeout,omitempty"`
-	// Enable TLS communication from flow exporter to flow aggregator.
-	// Defaults to true.
-	EnableTLSToFlowAggregator bool `yaml:"enableTLSToFlowAggregator,omitempty"`
 	// Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
 	// whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
 	// and all Node traffic directed to that port will be forwarded to the Pod.

cmd/antrea-agent/options.go

@@ -38,8 +38,8 @@ const (
 	defaultHostProcPathPrefix      = "/host"
 	defaultServiceCIDR             = "10.96.0.0/12"
 	defaultTunnelType              = ovsconfig.GeneveTunnel
-	defaultFlowCollectorAddress    = "flow-aggregator.flow-aggregator.svc:4739:tcp"
-	defaultFlowCollectorTransport  = "tcp"
+	defaultFlowCollectorAddress    = "flow-aggregator.flow-aggregator.svc:4739:tls"
+	defaultFlowCollectorTransport  = "tls"
 	defaultFlowCollectorPort       = "4739"
 	defaultFlowPollInterval        = 5 * time.Second
 	defaultActiveFlowExportTimeout = 30 * time.Second
@@ -54,7 +54,7 @@ type Options struct {
 	config *AgentConfig
 	// IPFIX flow collector address
 	flowCollectorAddr string
-	// IPFIX flow collector L4 protocol
+	// IPFIX flow collector protocol
 	flowCollectorProto string
 	// Flow exporter poll interval
 	pollInterval time.Duration
@@ -67,8 +67,7 @@ type Options struct {
 func newOptions() *Options {
 	return &Options{
 		config: &AgentConfig{
-			EnablePrometheusMetrics:   true,
-			EnableTLSToFlowAggregator: true,
+			EnablePrometheusMetrics: true,
 		},
 	}
 }

cmd/flow-aggregator/config.go

@@ -41,7 +41,7 @@ type FlowAggregatorConfig struct {
 	AggregatorTransportProtocol flowaggregator.AggregatorTransportProtocol `yaml:"aggregatorTransportProtocol,omitempty"`
 	// Provide DNS name or IP address of flow aggregator for generating TLS certificate.
 	// Defaults to "flow-aggregator.flow-aggregator.svc"
-	flowAggregatorAddress string `yaml:"flowAggregatorAddress,omitempty"`
+	FlowAggregatorAddress string `yaml:"flowAggregatorAddress,omitempty"`
 	// Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow
 	// aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated
 	// from the persistent cluster UUID generated by Antrea. Failing that (e.g. because the cluster UUID