Promote feature gate NodePortLocal to GA (#5491)

Signed-off-by: hujiajing <hjiajing@vmware.com>

build/charts/antrea/conf/antrea-agent.conf

@@ -247,8 +247,7 @@ flowExporter:
 nodePortLocal:
 {{- with .Values.nodePortLocal }}
 # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
-# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
-# gate is also enabled (which is the default).
+# enable this feature, you need to set "enable" to true.
   enable: {{ .enable }}
 # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
 # from that range will be assigned whenever a Pod's container defines a specific port to be exposed

build/yamls/antrea-aks.yml

@@ -5722,8 +5722,7 @@ data:
 
     nodePortLocal:
     # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
-    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
-    # gate is also enabled (which is the default).
+    # enable this feature, you need to set "enable" to true.
       enable: false
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
     # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
@@ -6854,7 +6853,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 607ef74cdf597a1fbfc4856b3e5aa056785c824999a813af58325382b647fe50
+        checksum/config: 77b5f317f3faa10adebca604e145675d41d73631984cc8fa075069b70f9f0419
       labels:
         app: antrea
         component: antrea-agent
@@ -7095,7 +7094,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 607ef74cdf597a1fbfc4856b3e5aa056785c824999a813af58325382b647fe50
+        checksum/config: 77b5f317f3faa10adebca604e145675d41d73631984cc8fa075069b70f9f0419
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -5722,8 +5722,7 @@ data:
 
     nodePortLocal:
     # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
-    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
-    # gate is also enabled (which is the default).
+    # enable this feature, you need to set "enable" to true.
       enable: false
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
     # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
@@ -6854,7 +6853,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 607ef74cdf597a1fbfc4856b3e5aa056785c824999a813af58325382b647fe50
+        checksum/config: 77b5f317f3faa10adebca604e145675d41d73631984cc8fa075069b70f9f0419
       labels:
         app: antrea
         component: antrea-agent
@@ -7096,7 +7095,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 607ef74cdf597a1fbfc4856b3e5aa056785c824999a813af58325382b647fe50
+        checksum/config: 77b5f317f3faa10adebca604e145675d41d73631984cc8fa075069b70f9f0419
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -5722,8 +5722,7 @@ data:
 
     nodePortLocal:
     # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
-    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
-    # gate is also enabled (which is the default).
+    # enable this feature, you need to set "enable" to true.
       enable: false
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
     # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
@@ -6854,7 +6853,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4a9f23cea8f1d746acafb5499ea16e210a9ffc771e688dccad220fea5ef9aecb
+        checksum/config: 0b761fc6deaf2ebde722c4d34a9898d9e9370e3c99467d40a28009909011b9e9
       labels:
         app: antrea
         component: antrea-agent
@@ -7093,7 +7092,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4a9f23cea8f1d746acafb5499ea16e210a9ffc771e688dccad220fea5ef9aecb
+        checksum/config: 0b761fc6deaf2ebde722c4d34a9898d9e9370e3c99467d40a28009909011b9e9
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -5735,8 +5735,7 @@ data:
 
     nodePortLocal:
     # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
-    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
-    # gate is also enabled (which is the default).
+    # enable this feature, you need to set "enable" to true.
       enable: false
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
     # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
@@ -6867,7 +6866,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 07ca4a42c47e93bb9fceafbbfa990de8ed812343a86ff399bc179e9c48bda7df
+        checksum/config: 55b17484eb9e47c7af06d7a9367348b851d9de4ad0cdc0e1a3f0b328b08df2d2
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -7152,7 +7151,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 07ca4a42c47e93bb9fceafbbfa990de8ed812343a86ff399bc179e9c48bda7df
+        checksum/config: 55b17484eb9e47c7af06d7a9367348b851d9de4ad0cdc0e1a3f0b328b08df2d2
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -5722,8 +5722,7 @@ data:
 
     nodePortLocal:
     # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
-    # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
-    # gate is also enabled (which is the default).
+    # enable this feature, you need to set "enable" to true.
       enable: false
     # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
     # from that range will be assigned whenever a Pod's container defines a specific port to be exposed
@@ -6854,7 +6853,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4fe41384930f331013210dfda5fa13d1c229f3d208742e6c26700f0563250cc1
+        checksum/config: 5f88b901b90e9499d36fc38364a673d34b6fd6e79344fb63770d65ae3544470a
       labels:
         app: antrea
         component: antrea-agent
@@ -7093,7 +7092,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4fe41384930f331013210dfda5fa13d1c229f3d208742e6c26700f0563250cc1
+        checksum/config: 5f88b901b90e9499d36fc38364a673d34b6fd6e79344fb63770d65ae3544470a
       labels:
         app: antrea
         component: antrea-controller

cmd/antrea-agent/agent.go

@@ -137,7 +137,6 @@ func run(o *Options) error {
 
 	enableAntreaIPAM := features.DefaultFeatureGate.Enabled(features.AntreaIPAM)
 	enableBridgingMode := enableAntreaIPAM && o.config.EnableBridgingMode
-	enableNodePortLocal := features.DefaultFeatureGate.Enabled(features.NodePortLocal) && o.config.NodePortLocal.Enable
 	l7NetworkPolicyEnabled := features.DefaultFeatureGate.Enabled(features.L7NetworkPolicy)
 	enableMulticlusterGW := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableGateway
 	enableMulticlusterNP := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableStretchedNetworkPolicy
@@ -326,7 +325,7 @@ func run(o *Options) error {
 	// Initialize localPodInformer for NPLAgent, AntreaIPAMController,
 	// StretchedNetworkPolicyController, and secondary network controller.
 	var localPodInformer cache.SharedIndexInformer
-	if enableNodePortLocal || enableBridgingMode || enableMulticlusterNP || enableFlowExporter ||
+	if o.enableNodePortLocal || enableBridgingMode || enableMulticlusterNP || enableFlowExporter ||
 		features.DefaultFeatureGate.Enabled(features.SecondaryNetwork) ||
 		features.DefaultFeatureGate.Enabled(features.TrafficControl) {
 		listOptions := func(options *metav1.ListOptions) {
@@ -672,7 +671,7 @@ func run(o *Options) error {
 	go antreaClientProvider.Run(ctx)
 
 	// Initialize the NPL agent.
-	if enableNodePortLocal {
+	if o.enableNodePortLocal {
 		nplController, err := npl.InitializeNPLAgent(
 			k8sClient,
 			serviceInformer,

cmd/antrea-agent/options.go

@@ -98,6 +98,10 @@ type Options struct {
 	// AntreaProxy.Enable. This is used to maintain compatibility with the AntreaProxy feature gate, which was promoted
 	// to GA in v1.14.
 	enableAntreaProxy bool
+	// enableNodePortLocal indicates whether NodePortLocal should be enabled or not, based on feature gate NodePortLocal
+	// and options NodePortLocal.Enable. This is used to maintain compatibility with the NodePortLocal feature gate, which
+	// was promoted to GA in v1.14
+	enableNodePortLocal bool
 
 	defaultLoadBalancerMode config.LoadBalancerMode
 }
@@ -461,7 +465,7 @@ func (o *Options) setK8sNodeDefaultOptions() {
 		}
 	}
 
-	if features.DefaultFeatureGate.Enabled(features.NodePortLocal) {
+	if o.config.NodePortLocal.Enable {
 		switch {
 		case o.config.NodePortLocal.PortRange != "":
 		case o.config.NPLPortRange != "":
@@ -589,16 +593,8 @@ func (o *Options) validateK8sNodeOptions() error {
 	if err := o.validateMulticlusterConfig(encapMode, encryptionMode); err != nil {
 		return err
 	}
-
-	if features.DefaultFeatureGate.Enabled(features.NodePortLocal) {
-		startPort, endPort, err := parsePortRange(o.config.NodePortLocal.PortRange)
-		if err != nil {
-			return fmt.Errorf("NodePortLocal portRange is not valid: %v", err)
-		}
-		o.nplStartPort = startPort
-		o.nplEndPort = endPort
-	} else if o.config.NodePortLocal.Enable {
-		klog.InfoS("The nodePortLocal.enable config option is set to true, but it will be ignored because the NodePortLocal feature gate is disabled")
+	if err := o.validateNodePortLocalConfig(); err != nil {
+		return fmt.Errorf("failed to validate nodePortLocal config: %v", err)
 	}
 	if err := o.validateAntreaIPAMConfig(); err != nil {
 		return fmt.Errorf("failed to validate AntreaIPAM config: %v", err)
@@ -746,3 +742,19 @@ func (o *Options) validateSecondaryNetworkConfig() error {
 
 	return nil
 }
+
+func (o *Options) validateNodePortLocalConfig() error {
+	o.enableNodePortLocal = o.config.NodePortLocal.Enable && features.DefaultFeatureGate.Enabled(features.NodePortLocal)
+	if !features.DefaultFeatureGate.Enabled(features.NodePortLocal) {
+		klog.InfoS("Feature gate `NodePortLocal` is deprecated, please use option `nodePortLocal.enable` to disable NodePortLocal")
+	}
+	if o.enableNodePortLocal {
+		startPort, endPort, err := parsePortRange(o.config.NodePortLocal.PortRange)
+		if err != nil {
+			return fmt.Errorf("NodePortLocal portRange is not valid: %v", err)
+		}
+		o.nplStartPort = startPort
+		o.nplEndPort = endPort
+	}
+	return nil
+}

docs/feature-gates.md

@@ -31,7 +31,7 @@ edit the Agent configuration in the
 ## List of Available Features
 
 | Feature Name                  | Component          | Default | Stage | Alpha Release | Beta Release | GA Release | Extra Requirements | Notes                                         |
-|-------------------------------|--------------------|---------|-------|---------------|--------------|------------|--------------------|-----------------------------------------------|
+| ----------------------------- | ------------------ | ------- | ----- | ------------- | ------------ | ---------- | ------------------ | --------------------------------------------- |
 | `AntreaProxy`                 | Agent              | `true`  | GA    | v0.8          | v0.11        | v1.14      | Yes                | Must be enabled for Windows.                  |
 | `EndpointSlice`               | Agent              | `true`  | GA    | v0.13.0       | v1.11        | v1.14      | Yes                |                                               |
 | `TopologyAwareHints`          | Agent              | `true`  | Beta  | v1.8          | v1.12        | N/A        | Yes                |                                               |
@@ -41,7 +41,7 @@ edit the Agent configuration in the
 | `Traceflow`                   | Agent + Controller | `true`  | Beta  | v0.8          | v0.11        | N/A        | Yes                |                                               |
 | `FlowExporter`                | Agent              | `false` | Alpha | v0.9          | N/A          | N/A        | Yes                |                                               |
 | `NetworkPolicyStats`          | Agent + Controller | `true`  | Beta  | v0.10         | v1.2         | N/A        | No                 |                                               |
-| `NodePortLocal`               | Agent              | `true`  | Beta  | v0.13         | v1.4         | N/A        | Yes                | Important user-facing change in v1.2.0        |
+| `NodePortLocal`               | Agent              | `true`  | GA    | v0.13         | v1.4         | v1.14      | Yes                | Important user-facing change in v1.2.0        |
 | `Egress`                      | Agent + Controller | `true`  | Beta  | v1.0          | v1.6         | N/A        | Yes                |                                               |
 | `NodeIPAM`                    | Controller         | `true`  | Beta  | v1.4          | v1.12        | N/A        | Yes                |                                               |
 | `AntreaIPAM`                  | Agent + Controller | `false` | Alpha | v1.4          | N/A          | N/A        | Yes                |                                               |

docs/node-port-local.md

@@ -31,6 +31,7 @@ NodePortLocal was introduced in v0.13 as an alpha feature, and was graduated to
 beta in v1.4, at which time it was enabled by default. Prior to v1.4, a feature
 gate, `NodePortLocal`, must be enabled on the antrea-agent for the feature to
 work. Starting from Antrea v1.7, NPL is supported on the Windows antrea-agent.
+From Antrea v1.14, NPL is GA.
 
 ## Usage
 

pkg/apiserver/handlers/featuregates/handler_test.go

@@ -65,7 +65,7 @@ func Test_getGatesResponse(t *testing.T) {
 				{Component: "agent", Name: "Multicast", Status: multicastStatus, Version: "BETA"},
 				{Component: "agent", Name: "Multicluster", Status: "Disabled", Version: "ALPHA"},
 				{Component: "agent", Name: "NetworkPolicyStats", Status: "Enabled", Version: "BETA"},
-				{Component: "agent", Name: "NodePortLocal", Status: "Enabled", Version: "BETA"},
+				{Component: "agent", Name: "NodePortLocal", Status: "Enabled", Version: "GA"},
 				{Component: "agent", Name: "SecondaryNetwork", Status: "Disabled", Version: "ALPHA"},
 				{Component: "agent", Name: "ServiceExternalIP", Status: "Disabled", Version: "ALPHA"},
 				{Component: "agent", Name: "SupportBundleCollection", Status: "Disabled", Version: "ALPHA"},
@@ -103,7 +103,7 @@ func Test_getGatesWindowsResponse(t *testing.T) {
 				{Component: "agent-windows", Name: "ExternalNode", Status: "Disabled", Version: "ALPHA"},
 				{Component: "agent-windows", Name: "FlowExporter", Status: "Disabled", Version: "ALPHA"},
 				{Component: "agent-windows", Name: "NetworkPolicyStats", Status: "Enabled", Version: "BETA"},
-				{Component: "agent-windows", Name: "NodePortLocal", Status: "Enabled", Version: "BETA"},
+				{Component: "agent-windows", Name: "NodePortLocal", Status: "Enabled", Version: "GA"},
 				{Component: "agent-windows", Name: "SupportBundleCollection", Status: "Disabled", Version: "ALPHA"},
 				{Component: "agent-windows", Name: "TopologyAwareHints", Status: "Enabled", Version: "BETA"},
 				{Component: "agent-windows", Name: "Traceflow", Status: "Enabled", Version: "BETA"},

pkg/features/antrea_features.go

@@ -78,6 +78,7 @@ const (
 
 	// alpha: v0.13
 	// beta: v1.4
+	// GA: v1.14
 	// Expose Pod ports through NodePort
 	NodePortLocal featuregate.Feature = "NodePortLocal"
 
@@ -165,7 +166,7 @@ var (
 		AntreaIPAM:                  {Default: false, PreRelease: featuregate.Alpha},
 		FlowExporter:                {Default: false, PreRelease: featuregate.Alpha},
 		NetworkPolicyStats:          {Default: true, PreRelease: featuregate.Beta},
-		NodePortLocal:               {Default: true, PreRelease: featuregate.Beta},
+		NodePortLocal:               {Default: true, PreRelease: featuregate.GA},
 		NodeIPAM:                    {Default: true, PreRelease: featuregate.Beta},
 		Multicast:                   {Default: true, PreRelease: featuregate.Beta},
 		Multicluster:                {Default: false, PreRelease: featuregate.Alpha},

test/e2e/nodeportlocal_test.go

@@ -32,7 +32,6 @@ import (
 	npltesting "antrea.io/antrea/pkg/agent/nodeportlocal/testing"
 	"antrea.io/antrea/pkg/agent/nodeportlocal/types"
 	agentconfig "antrea.io/antrea/pkg/config/agent"
-	"antrea.io/antrea/pkg/features"
 )
 
 const (
@@ -55,8 +54,14 @@ func newExpectedNPLAnnotations(nplStartPort, nplEndPort int) *npltesting.Expecte
 	return npltesting.NewExpectedNPLAnnotations(nil, nplStartPort, nplEndPort)
 }
 
-func skipIfNodePortLocalDisabled(tb testing.TB) {
-	skipIfFeatureDisabled(tb, features.NodePortLocal, true, false)
+func skipIfNodePortLocalDisabled(tb testing.TB, data *TestData) {
+	agentConf, err := data.GetAntreaAgentConf()
+	if err != nil {
+		tb.Fatalf("Error getting Antrea Agent configuration: %v:", err)
+	}
+	if !agentConf.NodePortLocal.Enable {
+		tb.Skipf("Skipping test because NodePortLocal is not enabled")
+	}
 }
 
 func configureNPLForAgent(t *testing.T, data *TestData, startPort, endPort int) {
@@ -74,14 +79,15 @@ func configureNPLForAgent(t *testing.T, data *TestData, startPort, endPort int)
 // NodePortLocal related test cases so they can share setup, teardown.
 func TestNodePortLocal(t *testing.T) {
 	skipIfNotIPv4Cluster(t)
-	skipIfNodePortLocalDisabled(t)
 
 	data, err := setupTest(t)
 	if err != nil {
 		t.Fatalf("Error when setting up test: %v", err)
 	}
 	defer teardownTest(t, data)
 
+	skipIfNodePortLocalDisabled(t, data)
+
 	configureNPLForAgent(t, data, defaultStartPort, defaultEndPort)
 	t.Run("testNPLAddPod", func(t *testing.T) { testNPLAddPod(t, data) })
 	t.Run("testNPLMultiplePodsAgentRestart", func(t *testing.T) { testNPLMultiplePodsAgentRestart(t, data) })