Introduce networkMode config option and ipsecEncap mode for Agent

[jianjuns]

Introduce networkMode config option, which now supports two modes:
encapNormal (for normal overlay tunnels) and ipsecEncap (for IPSec
encyption of tunnel traffic). Later, there could be more modes added
like noEncap, hybrid (encapsulation only for traffic across Nodes in
the different underlay subnets) passthrough (use cloud native
networking / underlay network for connectivity), etc..
Remove the enableIPSecTunnel option and use ipsecEncap networkMode
to enable IPSec encyption. This is also to avoid misconfiguration
of IPSec encyption when later we have noEncap and other modes -
IPSec could be enabled for only tunnel traffic.

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-all: to trigger all tests.
• /skip-all: to skip all tests.

These commands can only be run by members of the vmware-tanzu organization.

[jianjuns]

@tnqn @antoninbas @salv-orlando @suwang48404: like to learn your thoughts on the network mode config option.
See also discussion over issue #237.

[antrea-bot]

Thanks for your PR.
Unit tests and code linters are run automatically every time the PR is updated.
E2e, conformance and network policy tests can only be triggered by a member of the vmware-tanzu organization. Regular contributors to the project should join the org.

The following commands are available:

• /test-e2e: to trigger e2e tests.
• /skip-e2e: to skip e2e tests.
• /test-conformance: to trigger conformance tests.
• /skip-conformance: to skip conformance tests.
• /test-networkpolicy: to trigger networkpolicy tests.
• /skip-networkpolicy: to skip networkpolicy tests.
• /test-all: to trigger all tests.
• /skip-all: to skip all tests.

These commands can only be run by members of the vmware-tanzu organization.

[tnqn]

@tnqn @antoninbas @salv-orlando @suwang48404: like to learn your thoughts on the network mode config option.
See also discussion over issue #237.

Just personal feeling, the supported values are not very symmetric, I mean ipsecEncap, thinking whether to encrypt is in not the same dimension as encap, noEncap, hybrid, passthrough (and technically hybrid could enable IPSec too?).
I feel the concern of misconfiguration of IPSec encryption when later we have noEncap and other modes can be easily addressed by adding a validation to the two options, anyway tunnelType is an option specific to encap mode too.

[jianjuns]

Just personal feeling, the supported values are not very symmetric, I mean ipsecEncap, thinking whether to encrypt is in not the same dimension as encap, noEncap, hybrid, passthrough (and technically hybrid could enable IPSec too?).

You must be right. I could only argue "passthrough" is different from other modes too. Then do we need a separate flag for it too?
Anyway, I do not have a strong opinion on this, but just like to learn what you guys think. @antoninbas and @salv-orlando: your thoughts?

[antoninbas]

After thinking about this, I feel the same way as Quan. I think we should keep "ipsec enable" as a separate dimension and validate option consistency in our code.

[suwang48404]

sorry for late reply.

two separate knobs make sense to me

• Encap
• IPSecEnable

[jianjuns]

Ok. I will drop this PR then. Also let me know if you prefer another name for the option to enable IPSec - it is now "enableIPSecTunnel".
@tnqn @antoninbas @susanwu88

[antoninbas]

The name is fine as far as I'm concerned, since IPsec can only be enabled for tunnels created by Antrea.