diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 7424edfe718..5214daa3f83 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -3617,9 +3617,10 @@ data: # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. # However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" - # L4 transport protocols. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval @@ -3640,9 +3641,6 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Enable TLS communication from flow exporter to flow aggregator. - #enableTLSToFlowAggregator: true - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), # and all Node traffic directed to that port will be forwarded to the Pod. @@ -3742,7 +3740,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-kt9gdmf62t + name: antrea-config-t9hc8tf75d namespace: kube-system --- apiVersion: v1 @@ -3862,7 +3860,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-kt9gdmf62t + name: antrea-config-t9hc8tf75d name: antrea-config - name: antrea-controller-tls secret: @@ -4173,7 +4171,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-kt9gdmf62t + name: antrea-config-t9hc8tf75d name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 78c20700499..c72314d7e46 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -3617,9 +3617,10 @@ data: # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. # However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" - # L4 transport protocols. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval @@ -3640,9 +3641,6 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Enable TLS communication from flow exporter to flow aggregator. - #enableTLSToFlowAggregator: true - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), # and all Node traffic directed to that port will be forwarded to the Pod. @@ -3742,7 +3740,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-kt9gdmf62t + name: antrea-config-t9hc8tf75d namespace: kube-system --- apiVersion: v1 @@ -3862,7 +3860,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-kt9gdmf62t + name: antrea-config-t9hc8tf75d name: antrea-config - name: antrea-controller-tls secret: @@ -4175,7 +4173,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-kt9gdmf62t + name: antrea-config-t9hc8tf75d name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index d9eba3e588d..4ba925d1264 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -3617,9 +3617,10 @@ data: # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. # However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" - # L4 transport protocols. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval @@ -3640,9 +3641,6 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Enable TLS communication from flow exporter to flow aggregator. - #enableTLSToFlowAggregator: true - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), # and all Node traffic directed to that port will be forwarded to the Pod. @@ -3742,7 +3740,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-c8bf7gddbb + name: antrea-config-9g829tktd6 namespace: kube-system --- apiVersion: v1 @@ -3862,7 +3860,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-c8bf7gddbb + name: antrea-config-9g829tktd6 name: antrea-config - name: antrea-controller-tls secret: @@ -4176,7 +4174,7 @@ spec: path: /home/kubernetes/bin name: host-cni-bin - configMap: - name: antrea-config-c8bf7gddbb + name: antrea-config-9g829tktd6 name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 0472cbde9ba..a4001f5c019 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -3622,9 +3622,10 @@ data: # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. # However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" - # L4 transport protocols. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval @@ -3645,9 +3646,6 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Enable TLS communication from flow exporter to flow aggregator. - #enableTLSToFlowAggregator: true - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), # and all Node traffic directed to that port will be forwarded to the Pod. @@ -3747,7 +3745,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-dh7f7g969b + name: antrea-config-h5kbhh859d namespace: kube-system --- apiVersion: v1 @@ -3876,7 +3874,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-dh7f7g969b + name: antrea-config-h5kbhh859d name: antrea-config - name: antrea-controller-tls secret: @@ -4222,7 +4220,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-dh7f7g969b + name: antrea-config-h5kbhh859d name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-windows.yml b/build/yamls/antrea-windows.yml index d6d79e548cf..f3a512676cc 100644 --- a/build/yamls/antrea-windows.yml +++ b/build/yamls/antrea-windows.yml @@ -60,9 +60,10 @@ data: # HOST can only be IP right now because there is a DNS resolution issue in current Windows support. # IP can be either IPv4 or IPv6. However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" - # L4 transport protocols. - #flowCollectorAddr: "" + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval @@ -103,7 +104,7 @@ kind: ConfigMap metadata: labels: app: antrea - name: antrea-windows-config-cm7h2cd86m + name: antrea-windows-config-6cmd972m6b namespace: kube-system --- apiVersion: apps/v1 @@ -191,7 +192,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-windows-config-cm7h2cd86m + name: antrea-windows-config-6cmd972m6b name: antrea-windows-config - configMap: defaultMode: 420 diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 126159898a3..5620778eb5d 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -3622,9 +3622,10 @@ data: # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. # However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" - # L4 transport protocols. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval @@ -3645,9 +3646,6 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Enable TLS communication from flow exporter to flow aggregator. - #enableTLSToFlowAggregator: true - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), # and all Node traffic directed to that port will be forwarded to the Pod. @@ -3747,7 +3745,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-42cft4gc5f + name: antrea-config-cbfh568k9m namespace: kube-system --- apiVersion: v1 @@ -3867,7 +3865,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-42cft4gc5f + name: antrea-config-cbfh568k9m name: antrea-config - name: antrea-controller-tls secret: @@ -4178,7 +4176,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-42cft4gc5f + name: antrea-config-cbfh568k9m name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/base/conf/antrea-agent.conf b/build/yamls/base/conf/antrea-agent.conf index 3bf7a3c570c..01591e9837f 100644 --- a/build/yamls/base/conf/antrea-agent.conf +++ b/build/yamls/base/conf/antrea-agent.conf @@ -106,9 +106,10 @@ featureGates: # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. # However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. -# If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" -# L4 transport protocols. -#flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" +# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and +# "udp" protocols. "tls" is used for securing communication between flow exporter and +# flow aggregator. +#flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval @@ -129,9 +130,6 @@ featureGates: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" -# Enable TLS communication from flow exporter to flow aggregator. -#enableTLSToFlowAggregator: true - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), # and all Node traffic directed to that port will be forwarded to the Pod. diff --git a/build/yamls/windows/base/conf/antrea-agent.conf b/build/yamls/windows/base/conf/antrea-agent.conf index 7dd2807cc01..a0a7af4904e 100644 --- a/build/yamls/windows/base/conf/antrea-agent.conf +++ b/build/yamls/windows/base/conf/antrea-agent.conf @@ -42,9 +42,10 @@ featureGates: # HOST can only be IP right now because there is a DNS resolution issue in current Windows support. # IP can be either IPv4 or IPv6. However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. -# If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" -# L4 transport protocols. -#flowCollectorAddr: "" +# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and +# "udp" protocols. "tls" is used for securing communication between flow exporter and +# flow aggregator. +#flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval diff --git a/ci/test-elk-flow-collector.sh b/ci/test-elk-flow-collector.sh index 4872a11571f..b3f28b001dd 100755 --- a/ci/test-elk-flow-collector.sh +++ b/ci/test-elk-flow-collector.sh @@ -77,7 +77,6 @@ config_antrea() { echo "=== Configuring Antrea Flow Exporter Address ===" sed -i -e "s/#flowCollectorAddr.*/flowCollectorAddr: \"${LOGSTASH_IP}:${LOGSTASH_PORT}:${LOGSTASH_PROTOCOL}\"/g" ${GIT_CHECKOUT_DIR}/build/yamls/antrea.yml sed -i -e "s/# FlowExporter: false/ FlowExporter: true/g" ${GIT_CHECKOUT_DIR}/build/yamls/antrea.yml - sed -i -e "s/#enableTLSToFlowAggregator: true/enableTLSToFlowAggregator: false/g" ${GIT_CHECKOUT_DIR}/build/yamls/antrea.yml } # Antrea agent flow exporter starts to send CoreDNS flow records. diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go index 2f9562519a4..f169165fbe6 100644 --- a/cmd/antrea-agent/agent.go +++ b/cmd/antrea-agent/agent.go @@ -375,7 +375,6 @@ func run(o *Options) error { o.flowCollectorProto, o.activeFlowTimeout, o.idleFlowTimeout, - o.config.EnableTLSToFlowAggregator, v4Enabled, v6Enabled, k8sClient, diff --git a/cmd/antrea-agent/config.go b/cmd/antrea-agent/config.go index 81395c8eb33..9e3f13725ba 100644 --- a/cmd/antrea-agent/config.go +++ b/cmd/antrea-agent/config.go @@ -132,9 +132,6 @@ type AgentConfig struct { // Defaults to "15s". Valid time units are "ns", "us" (or "µs"), "ms", "s", // "m", "h". IdleFlowExportTimeout string `yaml:"idleFlowExportTimeout,omitempty"` - // Enable TLS communication from flow exporter to flow aggregator. - // Defaults to true. - EnableTLSToFlowAggregator bool `yaml:"enableTLSToFlowAggregator,omitempty"` // Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned // whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), // and all Node traffic directed to that port will be forwarded to the Pod. diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go index e219e906181..7e4aa315d55 100644 --- a/cmd/antrea-agent/options.go +++ b/cmd/antrea-agent/options.go @@ -38,8 +38,8 @@ const ( defaultHostProcPathPrefix = "/host" defaultServiceCIDR = "10.96.0.0/12" defaultTunnelType = ovsconfig.GeneveTunnel - defaultFlowCollectorAddress = "flow-aggregator.flow-aggregator.svc:4739:tcp" - defaultFlowCollectorTransport = "tcp" + defaultFlowCollectorAddress = "flow-aggregator.flow-aggregator.svc:4739:tls" + defaultFlowCollectorTransport = "tls" defaultFlowCollectorPort = "4739" defaultFlowPollInterval = 5 * time.Second defaultActiveFlowExportTimeout = 30 * time.Second @@ -54,7 +54,7 @@ type Options struct { config *AgentConfig // IPFIX flow collector address flowCollectorAddr string - // IPFIX flow collector L4 protocol + // IPFIX flow collector protocol flowCollectorProto string // Flow exporter poll interval pollInterval time.Duration @@ -67,8 +67,7 @@ type Options struct { func newOptions() *Options { return &Options{ config: &AgentConfig{ - EnablePrometheusMetrics: true, - EnableTLSToFlowAggregator: true, + EnablePrometheusMetrics: true, }, } } diff --git a/cmd/flow-aggregator/config.go b/cmd/flow-aggregator/config.go index 8dda33cf07a..a91e52f2cc8 100644 --- a/cmd/flow-aggregator/config.go +++ b/cmd/flow-aggregator/config.go @@ -41,7 +41,7 @@ type FlowAggregatorConfig struct { AggregatorTransportProtocol flowaggregator.AggregatorTransportProtocol `yaml:"aggregatorTransportProtocol,omitempty"` // Provide DNS name or IP address of flow aggregator for generating TLS certificate. // Defaults to "flow-aggregator.flow-aggregator.svc" - flowAggregatorAddress string `yaml:"flowAggregatorAddress,omitempty"` + FlowAggregatorAddress string `yaml:"flowAggregatorAddress,omitempty"` // Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow // aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated // from the persistent cluster UUID generated by Antrea. Failing that (e.g. because the cluster UUID diff --git a/cmd/flow-aggregator/options.go b/cmd/flow-aggregator/options.go index 0364aa4a443..4b1d17cf109 100644 --- a/cmd/flow-aggregator/options.go +++ b/cmd/flow-aggregator/options.go @@ -118,10 +118,10 @@ func (o *Options) validate(args []string) error { } o.aggregatorTransportProtocol = transportProtocol } - if o.config.flowAggregatorAddress == "" { + if o.config.FlowAggregatorAddress == "" { o.flowAggregatorAddress = defaultFlowAggregatorAddress } else { - o.flowAggregatorAddress = o.config.flowAggregatorAddress + o.flowAggregatorAddress = o.config.FlowAggregatorAddress } return nil } diff --git a/docs/network-flow-visibility.md b/docs/network-flow-visibility.md index 9e99e60c373..90da63ccba5 100644 --- a/docs/network-flow-visibility.md +++ b/docs/network-flow-visibility.md @@ -85,9 +85,10 @@ parameters have to be set in the Antrea Agent ConfigMap: # to the Antrea Flow Aggregator Service. If IP, it can be either IPv4 or IPv6. # However, IPv6 address should be wrapped with []. # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp" - # L4 transport protocols. - #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp" + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + #flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" # Provide flow poll interval as a duration string. This determines how often the # flow exporter dumps connections from the conntrack module. Flow poll interval @@ -107,12 +108,9 @@ parameters have to be set in the Antrea Agent ConfigMap: # packet matching this flow has been observed since the last export event. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - - # Enable TLS communication from flow exporter to flow aggregator. - #enableTLSToFlowAggregator: true ``` -Please note that the default value for `flowCollectorAddr` is `"flow-aggregator.flow-aggregator.svc:4739:tcp"`, +Please note that the default value for `flowCollectorAddr` is `"flow-aggregator.flow-aggregator.svc:4739:tls"`, which uses the DNS name of the Flow Aggregator Service, if the Service is deployed with the Name and Namespace set to `flow-aggregator`. For Antrea Agent running on a Windows node, the user is required to change the default value of `HOST` in `flowCollectorAddr` @@ -279,11 +277,10 @@ flow-aggregator.conf: | Please note that the default values for `flowExportInterval`, `aggregatorTransportProtocol`, and `flowAggregatorAddress` parameters are set to `60s`, `tls` and `flow-aggregator.flow-aggregator.svc`, -respectively. Please make sure that `aggregatorTransportProtocol` is set to `tls` and -`enableTLSToFlowAggregator` in `agent-agent.conf` is set to true to guarantee secure communication -works properly. `enableTLSToFlowAggregator` and `aggregatorTransportProtocol` must always match, -so TLS must either be enabled for both sides or disabled for both sides. Please modify the parameters -as per your requirements. +respectively. Please make sure that `aggregatorTransportProtocol` and protocol of `flowCollectorAddr` in +`agent-agent.conf` are set to `tls` to guarantee secure communication works properly. Protocol of +`flowCollectorAddr` and `aggregatorTransportProtocol` must always match, so TLS must either be enabled for +both sides or disabled for both sides. Please modify the parameters as per your requirements. ### IPFIX Information Elements (IEs) in an Aggregated Flow Record diff --git a/pkg/agent/flowexporter/exporter/exporter.go b/pkg/agent/flowexporter/exporter/exporter.go index 3e51c6427d0..11dd98126c8 100644 --- a/pkg/agent/flowexporter/exporter/exporter.go +++ b/pkg/agent/flowexporter/exporter/exporter.go @@ -79,25 +79,24 @@ var ( ) type flowExporter struct { - connStore connections.ConnectionStore - flowRecords *flowrecords.FlowRecords - process ipfix.IPFIXExportingProcess - elementsListv4 []*ipfixentities.InfoElementWithValue - elementsListv6 []*ipfixentities.InfoElementWithValue - ipfixSet ipfixentities.Set - numDataSetsSent uint64 // used for unit tests. - templateIDv4 uint16 - templateIDv6 uint16 - registry ipfix.IPFIXRegistry - v4Enabled bool - v6Enabled bool - exporterInput exporter.ExporterInput - activeFlowTimeout time.Duration - idleFlowTimeout time.Duration - enableTLSToFlowAggregator bool - k8sClient kubernetes.Interface - nodeRouteController *noderoute.Controller - isNetworkPolicyOnly bool + connStore connections.ConnectionStore + flowRecords *flowrecords.FlowRecords + process ipfix.IPFIXExportingProcess + elementsListv4 []*ipfixentities.InfoElementWithValue + elementsListv6 []*ipfixentities.InfoElementWithValue + ipfixSet ipfixentities.Set + numDataSetsSent uint64 // used for unit tests. + templateIDv4 uint16 + templateIDv6 uint16 + registry ipfix.IPFIXRegistry + v4Enabled bool + v6Enabled bool + exporterInput exporter.ExporterInput + activeFlowTimeout time.Duration + idleFlowTimeout time.Duration + k8sClient kubernetes.Interface + nodeRouteController *noderoute.Controller + isNetworkPolicyOnly bool } func genObservationID() (uint32, error) { @@ -119,7 +118,13 @@ func prepareExporterInputArgs(collectorAddr, collectorProto string) (exporter.Ex return expInput, err } expInput.CollectorAddress = collectorAddr - expInput.CollectorProtocol = collectorProto + if collectorProto == "tls" { + expInput.IsEncrypted = true + expInput.CollectorProtocol = "tcp" + } else { + expInput.IsEncrypted = false + expInput.CollectorProtocol = collectorProto + } expInput.PathMTU = 0 return expInput, nil @@ -127,7 +132,7 @@ func prepareExporterInputArgs(collectorAddr, collectorProto string) (exporter.Ex func NewFlowExporter(connStore connections.ConnectionStore, records *flowrecords.FlowRecords, collectorAddr string, collectorProto string, activeFlowTimeout time.Duration, idleFlowTimeout time.Duration, - enableTLSToFlowAggregator bool, v4Enabled bool, v6Enabled bool, k8sClient kubernetes.Interface, + v4Enabled bool, v6Enabled bool, k8sClient kubernetes.Interface, nodeRouteController *noderoute.Controller, isNetworkPolicyOnly bool) (*flowExporter, error) { // Initialize IPFIX registry registry := ipfix.NewIPFIXRegistry() @@ -140,19 +145,18 @@ func NewFlowExporter(connStore connections.ConnectionStore, records *flowrecords } return &flowExporter{ - connStore: connStore, - flowRecords: records, - registry: registry, - v4Enabled: v4Enabled, - v6Enabled: v6Enabled, - exporterInput: expInput, - activeFlowTimeout: activeFlowTimeout, - idleFlowTimeout: idleFlowTimeout, - ipfixSet: ipfixentities.NewSet(false), - enableTLSToFlowAggregator: enableTLSToFlowAggregator, - k8sClient: k8sClient, - nodeRouteController: nodeRouteController, - isNetworkPolicyOnly: isNetworkPolicyOnly, + connStore: connStore, + flowRecords: records, + registry: registry, + v4Enabled: v4Enabled, + v6Enabled: v6Enabled, + exporterInput: expInput, + activeFlowTimeout: activeFlowTimeout, + idleFlowTimeout: idleFlowTimeout, + ipfixSet: ipfixentities.NewSet(false), + k8sClient: k8sClient, + nodeRouteController: nodeRouteController, + isNetworkPolicyOnly: isNetworkPolicyOnly, }, nil } @@ -194,7 +198,7 @@ func (exp *flowExporter) Export() { func (exp *flowExporter) initFlowExporter() error { var err error - if exp.enableTLSToFlowAggregator { + if exp.exporterInput.IsEncrypted { // if CA certificate, client certificate and key do not exist during initialization, // it will retry to obtain the credentials in next export cycle exp.exporterInput.CACert, err = getCACert(exp.k8sClient) @@ -207,17 +211,14 @@ func (exp *flowExporter) initFlowExporter() error { } // TLS transport does not need any tempRefTimeout, so sending 0. exp.exporterInput.TempRefTimeout = 0 - exp.exporterInput.IsEncrypted = true } else if exp.exporterInput.CollectorProtocol == "tcp" { // TCP transport does not need any tempRefTimeout, so sending 0. // tempRefTimeout is the template refresh timeout, which specifies how often // the exporting process should send the template again. exp.exporterInput.TempRefTimeout = 0 - exp.exporterInput.IsEncrypted = false } else { // For UDP transport, hardcoding tempRefTimeout value as 1800s. exp.exporterInput.TempRefTimeout = 1800 - exp.exporterInput.IsEncrypted = false } expProcess, err := ipfix.NewIPFIXExportingProcess(exp.exporterInput) if err != nil { diff --git a/pkg/util/flowexport/flowexport.go b/pkg/util/flowexport/flowexport.go index 8d917cc40fa..3e204ad94f5 100644 --- a/pkg/util/flowexport/flowexport.go +++ b/pkg/util/flowexport/flowexport.go @@ -45,7 +45,7 @@ func ParseFlowCollectorAddr(addr string, defaultPort string, defaultProtocol str } else { port = strSlice[1] } - if (strSlice[2] != "udp") && (strSlice[2] != "tcp") { + if (strSlice[2] != "tls") && (strSlice[2] != "tcp") && (strSlice[2] != "udp") { return host, port, proto, fmt.Errorf("connection over %s transport proto is not supported", strSlice[2]) } proto = strSlice[2] diff --git a/test/e2e/fixtures.go b/test/e2e/fixtures.go index f1549a21a21..22940065ddf 100644 --- a/test/e2e/fixtures.go +++ b/test/e2e/fixtures.go @@ -190,7 +190,7 @@ func setupTestWithIPFIXCollector(tb testing.TB) (*TestData, bool, bool, error) { if testOptions.providerName == "kind" { // In Kind cluster, there are issues with DNS name resolution on worker nodes. // Please note that CoreDNS services are forced on to control-plane Node. - faClusterIPAddr = fmt.Sprintf("%s:%s:tcp", faClusterIP, ipfixCollectorPort) + faClusterIPAddr = fmt.Sprintf("%s:%s:tls", faClusterIP, ipfixCollectorPort) } tb.Logf("Deploying flow exporter with collector address: %s", faClusterIPAddr) if err = testData.deployAntreaFlowExporter(faClusterIPAddr); err != nil { diff --git a/test/e2e/framework.go b/test/e2e/framework.go index 37e82fa62db..b94d6567c43 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -569,11 +569,6 @@ func (data *TestData) deployAntreaFlowExporter(ipfixCollector string) error { if ipfixCollector != "" { ac = append(ac, configChange{"flowCollectorAddr", fmt.Sprintf("\"%s\"", ipfixCollector), false}) } - if testOptions.providerName == "kind" { - // In Kind cluster, there are issues with DNS name resolution on worker nodes. - // We will skip TLS testing for Kind cluster because the server certificate is generated with Flow aggregator's DNS name - ac = append(ac, configChange{"enableTLSToFlowAggregator", "false", false}) - } return data.mutateAntreaConfigMap(nil, ac, false, true) } @@ -587,7 +582,11 @@ func (data *TestData) deployFlowAggregator(ipfixCollector string) (string, error if err != nil || rc != 0 { return "", fmt.Errorf("error when deploying flow aggregator; %s not available on the control-plane Node", flowAggYaml) } - if err = data.mutateFlowAggregatorConfigMap(ipfixCollector); err != nil { + svc, err := data.clientset.CoreV1().Services(flowAggregatorNamespace).Get(context.TODO(), flowAggregatorDeployment, metav1.GetOptions{}) + if err != nil { + return "", fmt.Errorf("unable to get service %v: %v", flowAggregatorDeployment, err) + } + if err = data.mutateFlowAggregatorConfigMap(ipfixCollector, svc.Spec.ClusterIP); err != nil { return "", err } if rc, _, _, err = provider.RunCommandOnNode(controlPlaneNodeName(), fmt.Sprintf("kubectl -n %s rollout status deployment/%s --timeout=%v", flowAggregatorNamespace, flowAggregatorDeployment, 2*defaultTimeout)); err != nil || rc != 0 { @@ -595,14 +594,10 @@ func (data *TestData) deployFlowAggregator(ipfixCollector string) (string, error _, logStdout, _, _ := provider.RunCommandOnNode(controlPlaneNodeName(), fmt.Sprintf("kubectl -n %s logs -l app=flow-aggregator", flowAggregatorNamespace)) return stdout, fmt.Errorf("error when waiting for flow aggregator rollout to complete. kubectl describe output: %s, logs: %s", stdout, logStdout) } - svc, err := data.clientset.CoreV1().Services(flowAggregatorNamespace).Get(context.TODO(), flowAggregatorDeployment, metav1.GetOptions{}) - if err != nil { - return "", fmt.Errorf("unable to get service %v: %v", flowAggregatorDeployment, err) - } return svc.Spec.ClusterIP, nil } -func (data *TestData) mutateFlowAggregatorConfigMap(ipfixCollector string) error { +func (data *TestData) mutateFlowAggregatorConfigMap(ipfixCollector string, faClusterIP string) error { configMap, err := data.GetFlowAggregatorConfigMap() if err != nil { return err @@ -616,8 +611,9 @@ func (data *TestData) mutateFlowAggregatorConfigMap(ipfixCollector string) error flowAggregatorConf = strings.Replace(flowAggregatorConf, "#inactiveFlowRecordTimeout: 90s", "inactiveFlowRecordTimeout: 6s", 1) if testOptions.providerName == "kind" { // In Kind cluster, there are issues with DNS name resolution on worker nodes. - // We will skip TLS testing for Kind cluster because the server certificate is generated with Flow aggregator's DNS name - flowAggregatorConf = strings.Replace(flowAggregatorConf, "#aggregatorTransportProtocol: \"tls\"", "aggregatorTransportProtocol: \"tcp\"", 1) + // We will use flow aggregator service cluster IP to generate the server certificate for tls communication + faAddress := fmt.Sprintf("flowAggregatorAddress: %s", faClusterIP) + flowAggregatorConf = strings.Replace(flowAggregatorConf, "#flowAggregatorAddress: \"flow-aggregator.flow-aggregator.svc\"", faAddress, 1) } configMap.Data[flowAggregatorConfName] = flowAggregatorConf if _, err := data.clientset.CoreV1().ConfigMaps(flowAggregatorNamespace).Update(context.TODO(), configMap, metav1.UpdateOptions{}); err != nil {