Support OVS bridge creation for secondary network

Add OVS bridge configuration to the secondary network configuration in antrea-agent.conf, which specifies the OVS bridges for Pod secondary networks and also physical interfaces of the bridges. At the moment, only a single bridge is supported and at most one physical interface can be configured on the bridge. antrea-agent will automatically create the OVS bridge and connects the physical interface (if specified) to the bridge, when the bridge is specified in the secondary network configuration and does not exist on the host. Signed-off-by: Jianjun Shen <shenj@vmware.com>
antrea-io · Jul 22, 2023 · 48a365d · 48a365d
1 parent f96efa2
commit 48a365d
Show file tree

Hide file tree

Showing 21 changed files with 360 additions and 169 deletions.
diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md
@@ -68,7 +68,7 @@ Kubernetes: `>= 1.16.0-0`
 | controller.tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"}]` | Tolerations for the antrea-controller Pod. |
 | defaultMTU | int | `0` | Default MTU to use for the host gateway interface and the network interface of each Pod. By default, antrea-agent will discover the MTU of the Node's primary interface and adjust it to accommodate for tunnel encapsulation overhead if applicable. |
 | disableTXChecksumOffload | bool | `false` | Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. It affects Pods running on Linux Nodes only. |
-| dnsServerOverride | string | `""` | Address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. |
+| dnsServerOverride | string | `""` | Address of DNS server, to override the kube-dns Service. It's used to resolve hostnames in a FQDN policy. |
 | egress.exceptCIDRs | list | `[]` | CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. |
 | egress.maxEgressIPsPerNode | int | `255` | The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255. |
 | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
@@ -107,12 +107,7 @@ Kubernetes: `>= 1.16.0-0`
 | nodePortLocal.portRange | string | `"61000-62000"` | Port range used by NodePortLocal when creating Pod port mappings. |
 | ovs.bridgeName | string | `"br-int"` | Name of the OVS bridge antrea-agent will create and use. |
 | ovs.hwOffload | bool | `false` | Enable hardware offload for the OVS bridge (required additional configuration). |
-| secondaryNetwork.ovs.datapathType | string | `"system"` | 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run OVS in userspace mode. Userspace mode requires the tun device driver to be available. |
-| secondaryNetwork.ovs.enable | bool | `false` | Enable OVS bridge configuration for secondary network. |
-| secondaryNetwork.ovs.integrationBridgeName | string | `"br-secnet-int"` | Secondary network OVS integration bridge name. |
-| secondaryNetwork.ovs.patchPort | string | `"br-secnet-patch0"` | Name of the OVS patch port which connects the integration and transport bridge. |
-| secondaryNetwork.ovs.transportBridgeName | string | `"br-secnet-trans"` | Secondary network OVS transport bridge name. |
-| secondaryNetwork.tunnelType | string | `"geneve"` | Tunnel protocol used for encapsulating traffic across Nodes. It must be one of "geneve", "vxlan", "gre", "stt". |
+| secondaryNetwork.ovsBridges | list | `[]` | List of OVS bridge configuration, each defines an OVS bridge used for Pod secondary networks. At the moment, at most one OVS bridge can be specified. If the specified bridge does not exist on  Node, antrea-agent will create it based on the specified configuration. |
 | serviceCIDR | string | `""` | IPv4 CIDR range used for Services. Required when AntreaProxy is disabled. |
 | serviceCIDRv6 | string | `""` | IPv6 CIDR range used for Services. Required when AntreaProxy is disabled. |
 | testing.coverage | bool | `false` | Enable code coverage measurement (used when testing Antrea only). |

diff --git a/build/charts/antrea/conf/antrea-agent.conf b/build/charts/antrea/conf/antrea-agent.conf
@@ -250,14 +250,15 @@ nodePortLocal:
   portRange: {{ .portRange | quote }}
 {{- end }}
 
-# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-# It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+# InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
 # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
 kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }}
 
-# Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-# Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-# [fd00:10:96::a]:53).
+# Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+# hostnames in a FQDN policy.
+# Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+# 10.96.0.10:53, [fd00:10:96::a]:53).
 dnsServerOverride: {{ .Values.dnsServerOverride | quote }}
 
 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -398,24 +399,8 @@ multicluster:
 
 secondaryNetwork:
 {{- with .Values.secondaryNetwork }}
-  # OVS bridge configuration for secondary network.
-  ovs:
-    # Enable OVS bridge configuration for secondary network.
-    enable: {{ .ovs.enable }}
-    # Secondary network OVS integration bridge name. Ensure it doesn't conflict with your existing OpenVSwitch bridges.
-    integrationBridgeName: {{ .ovs.integrationBridgeName | quote }}
-    # Secondary network OVS transport bridge name. Ensure it doesn't conflict with your existing OpenVSwitch bridges.
-    transportBridgeName: {{ .ovs.transportBridgeName | quote }}
-    # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
-    # - system
-    # - netdev
-    # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
-    # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
-    datapathType: {{ .ovs.datapathType | quote }}
-    # Name of the OVS patch port which connects the integration and transport bridge.
-    patchPort: {{ .ovs.patchPort | quote }}
-  # Tunnel protocol used for encapsulating traffic across Nodes. It must be one
-  # of "geneve", "vxlan", "gre", "stt".
-  tunnelType: {{ .tunnelType | quote }}
+  # Configuration of OVS bridges for secondary network.
+  ovsBridges:
+    {{- toYaml .ovsBridges | trim | nindent 6 }}
 {{- end }}
 {{- end }}
diff --git a/build/charts/antrea/values.yaml b/build/charts/antrea/values.yaml
@@ -74,24 +74,11 @@ ovs:
   hwOffload: false
 
 secondaryNetwork:
-  ovs:
-    # -- Enable OVS bridge configuration for secondary network.
-    enable: false
-    # -- Secondary network OVS integration bridge name.
-    integrationBridgeName: "br-secnet-int"
-    # -- Secondary network OVS transport bridge name.
-    transportBridgeName: "br-secnet-trans"
-    # -- Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
-    # - system
-    # - netdev
-    # -- 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
-    # OVS in userspace mode. Userspace mode requires the tun device driver to be available.
-    datapathType: "system"
-    # -- Name of the OVS patch port which connects the integration and transport bridge.
-    patchPort: "br-secnet-patch0"
-  # -- Tunnel protocol used for encapsulating traffic across Nodes. It must be one
-  # of "geneve", "vxlan", "gre", "stt".
-  tunnelType: "geneve"
+  # Configuration of OVS bridges for secondary network.
+  # The following configuration specifies an OVS bridge with name "br-vlan" and
+  # a physical interface "eth2":
+  # [{bridgeName: "br-vlan", physicalInterfaces: ["eth2"]}]
+  ovsBridges: []
 
 wireGuard:
   # -- Port for WireGuard to send and receive traffic.
@@ -162,7 +149,7 @@ nodeIPAM:
 # -- Address of Kubernetes apiserver, to override any value provided in
 # kubeconfig or InClusterConfig.
 kubeAPIServerOverride: ""
-# -- Address of DNS server, to override the kube-dns service. It's used to
+# -- Address of DNS server, to override the kube-dns Service. It's used to
 # resolve hostname in FQDN policy.
 dnsServerOverride: ""
 # -- IPv4 CIDR range used for Services. Required when AntreaProxy is disabled.

diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
@@ -3330,14 +3330,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -4553,7 +4554,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4ebea7300356a753d716270575de36dd3584f67dd62607cd6c9c2a115ac92e62
+        checksum/config: d946e9b13cef99a0995a8a5af2d421f463b9911d0cc19784f5f6909f81c7c5e4
       labels:
         app: antrea
         component: antrea-agent
@@ -4794,7 +4795,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4ebea7300356a753d716270575de36dd3584f67dd62607cd6c9c2a115ac92e62
+        checksum/config: d946e9b13cef99a0995a8a5af2d421f463b9911d0cc19784f5f6909f81c7c5e4
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
@@ -3330,14 +3330,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -4553,7 +4554,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4ebea7300356a753d716270575de36dd3584f67dd62607cd6c9c2a115ac92e62
+        checksum/config: d946e9b13cef99a0995a8a5af2d421f463b9911d0cc19784f5f6909f81c7c5e4
       labels:
         app: antrea
         component: antrea-agent
@@ -4795,7 +4796,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4ebea7300356a753d716270575de36dd3584f67dd62607cd6c9c2a115ac92e62
+        checksum/config: d946e9b13cef99a0995a8a5af2d421f463b9911d0cc19784f5f6909f81c7c5e4
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
@@ -3330,14 +3330,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -4553,7 +4554,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 48b346133ac76c11a6c456d99aa93c2421e5598a13b9d18d5dd58d6cce5408ff
+        checksum/config: 7ea66da60a8d3611699dcd72fe2d29166a0d4d4703e398c1f9e14e1bd798a842
       labels:
         app: antrea
         component: antrea-agent
@@ -4792,7 +4793,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 48b346133ac76c11a6c456d99aa93c2421e5598a13b9d18d5dd58d6cce5408ff
+        checksum/config: 7ea66da60a8d3611699dcd72fe2d29166a0d4d4703e398c1f9e14e1bd798a842
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
@@ -3343,14 +3343,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -4566,7 +4567,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c464a20c63a45190125a9bacb8d0b25cf04ad0e1f45e9bc2be76ebdb74d758bf
+        checksum/config: 7edb0ca5a492342a990e1e2afa66c77b5b502184c3775c6ce740df344f5b168f
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -4851,7 +4852,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: c464a20c63a45190125a9bacb8d0b25cf04ad0e1f45e9bc2be76ebdb74d758bf
+        checksum/config: 7edb0ca5a492342a990e1e2afa66c77b5b502184c3775c6ce740df344f5b168f
       labels:
         app: antrea
         component: antrea-controller

diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
@@ -3330,14 +3330,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -4553,7 +4554,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 38c3b07d25dc21a29a2e7c91aaa95475191b53ca77639ceada4a2604b6425666
+        checksum/config: 8ad0de1a57d5af052a9a2fa0136ee4f63d1abfee045956be3d8cce8cd069de41
       labels:
         app: antrea
         component: antrea-agent
@@ -4792,7 +4793,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 38c3b07d25dc21a29a2e7c91aaa95475191b53ca77639ceada4a2604b6425666
+        checksum/config: 8ad0de1a57d5af052a9a2fa0136ee4f63d1abfee045956be3d8cce8cd069de41
       labels:
         app: antrea
         component: antrea-controller