Add Thiea Manager with basic functionality (#97)

This change adds Theia Manager API Server and a basic NPRecommendationController. For API Server, the followings are added: 1. API server setup and config 2. sample REST endpoint apis/intelligence.theia.antrea.io/v1alpha1/networkpolicyrecommendations 3. codegen scripts for API server 4. helm charts for theia Manager and API server config values An example controller, NPRecommendationController, is also added to Theia manager, which watches NetworkPolicyRecommendation and exposes querier interface for APIServer to consume. When NetworkPolicyRecommendation is deployed in flow-visibility NS, the k8s resources and be properly returned via REST endpoint /apis/intelligence.theia.antrea.io/v1alpha1/networkpolicyrecommendations/{name} Signed-off-by: Shawn Wang <wshaoquan@vmware.com>
antrea-io · Sep 10, 2022 · 486e586 · 486e586
1 parent f230d45
commit 486e586
Show file tree

Hide file tree

Showing 60 changed files with 3,642 additions and 149 deletions.
diff --git a/Makefile b/Makefile
@@ -163,6 +163,19 @@ clickhouse-monitor-plugin:
 	@mkdir -p $(BINDIR)
 	GOOS=linux $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/theia/plugins/clickhouse-monitor
 
+.PHONY: theia-manager
+theia-manager:
+	@echo "===> Building antrea/theia-manager Docker image <==="
+	docker build --pull -t antrea/theia-manager:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.theia-manager.ubuntu $(DOCKER_BUILD_ARGS) .
+	docker tag antrea/theia-manager:$(DOCKER_IMG_VERSION) antrea/theia-manager
+	docker tag antrea/theia-manager:$(DOCKER_IMG_VERSION) projects.registry.vmware.com/antrea/theia-manager
+	docker tag antrea/theia-manager:$(DOCKER_IMG_VERSION) projects.registry.vmware.com/antrea/theia-manager:$(DOCKER_IMG_VERSION)
+
+.PHONY: theia-manager-bin
+theia-manager-bin:
+	@mkdir -p $(BINDIR)
+	GOOS=linux $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/theia/cmd/theia-manager
+
 .PHONY: policy-recommendation
 policy-recommendation:
 	@echo "===> Building antrea/theia-policy-recommendation Docker image <==="

diff --git a/build/charts/theia/README.md b/build/charts/theia/README.md
@@ -63,6 +63,12 @@ Kubernetes: `>= 1.16.0-0`
 | sparkOperator.enable | bool | `false` | Determine whether to install Spark Operator. It is required to run Network Policy Recommendation jobs. |
 | sparkOperator.image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/theia-spark-operator","tag":"v1beta2-1.3.3-3.1.1"}` | Container image used by Spark Operator. |
 | sparkOperator.name | string | `"policy-recommendation"` | Name of Spark Operator. |
+| theiaManager.apiServer.apiPort | int | `11347` | The port for the Theia Manager APIServer to serve on. |
+| theiaManager.apiServer.tlsCipherSuites | string | `""` | Comma-separated list of cipher suites that will be used by the Theia Manager APIservers. If empty, the default Go Cipher Suites will be used. |
+| theiaManager.apiServer.tlsMinVersion | string | `""` | TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. |
+| theiaManager.enable | bool | `false` | Determine whether to install Theia Manager. |
+| theiaManager.image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/theia-manager","tag":""}` | Container image used by Theia Manager. |
+| theiaManager.logVerbosity | int | `0` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0)
diff --git a/build/charts/theia/conf/theia-manager.conf b/build/charts/theia/conf/theia-manager.conf
@@ -0,0 +1,13 @@
+# apiServer contains APIServer related configuration options.
+apiServer:
+  # The port for the theia-manager APIServer to serve on.
+  apiPort: {{ .Values.theiaManager.apiServer.apiPort }}
+
+  # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+  # https://golang.org/pkg/crypto/tls/#pkg-constants
+  # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+  # prefer TLS1.3 Cipher Suites whenever possible.
+  tlsCipherSuites: {{ .Values.theiaManager.apiServer.tlsCipherSuites | quote }}
+
+  # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+  tlsMinVersion: {{ .Values.theiaManager.apiServer.tlsMinVersion | quote }}
diff --git a/build/charts/theia/crds/network-policy-recommendation-crd.yaml b/build/charts/theia/crds/network-policy-recommendation-crd.yaml
@@ -0,0 +1,72 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: networkpolicyrecommendations.crd.theia.antrea.io
+  labels:
+    app: theia
+spec:
+  group: crd.theia.antrea.io
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            spec:
+              type: object
+              required:
+                - jobType
+              properties:
+                jobType:
+                  type: string
+                limit:
+                  type: integer
+                policyType:
+                  type: string
+                startTime:
+                  type: string
+                  format: datetime
+                endTime:
+                  type: string
+                  format: datetime
+                nsAllowList:
+                  type: array
+                  items:
+                    type: string
+                excludeLabels:
+                  type: boolean
+                toServices:
+                  type: boolean
+                executorInstances:
+                  type: integer
+                driverCoreRequest:
+                  type: string
+                driverMemory:
+                  type: string
+                executorCoreRequest:
+                  type: string
+                executorMemory:
+                  type: string
+            status:
+              type: object
+              properties:
+                state:
+                  type: string
+      additionalPrinterColumns:
+        - description: Current state of the job
+          jsonPath: .status.state
+          name: State
+          type: string
+      subresources:
+        status: {}
+  scope: Namespaced
+  names:
+    plural: networkpolicyrecommendations
+    singular: networkpolicyrecommendation
+    kind: NetworkPolicyRecommendation
+    shortNames:
+      - npr
diff --git a/build/charts/theia/templates/_helpers.tpl b/build/charts/theia/templates/_helpers.tpl
@@ -93,3 +93,17 @@
 {{- define "clickHouseMonitorImage" -}}
 {{- print .clickhouse.monitor.image.repository ":" (include "clickHouseMonitorImageTag" .) -}}
 {{- end -}}
+
+{{- define "theiaManagerImageTag" -}}
+{{- if .Values.theiaManager.image.tag }}
+{{- .Values.theiaManager.image.tag -}}
+{{- else if eq .Chart.AppVersion "latest" }}
+{{- print "latest" -}}
+{{- else }}
+{{- print "v" .Chart.AppVersion -}}
+{{- end }}
+{{- end -}}
+
+{{- define "theiaManagerImage" -}}
+{{- print .Values.theiaManager.image.repository ":" (include "theiaManagerImageTag" .) -}}
+{{- end -}}
diff --git a/build/charts/theia/templates/theia-manager/clusterrole.yaml b/build/charts/theia/templates/theia-manager/clusterrole.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.theiaManager.enable }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager-role
+rules:
+  # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+  # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
+  # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+  # See https://github.com/kubernetes/kubernetes/pull/85375
+  # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+  # the extension-apiserver-authentication role.
+  - apiGroups: [""]
+    resourceNames: ["extension-apiserver-authentication"]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["crd.theia.antrea.io"]
+    resources: ["networkpolicyrecommendations"]
+    verbs: ["get", "list", "watch"]
+{{- end }}
diff --git a/build/charts/theia/templates/theia-manager/clusterrolebinding.yaml b/build/charts/theia/templates/theia-manager/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.theiaManager.enable }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager-cluster-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: theia-manager
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: theia-manager-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/build/charts/theia/templates/theia-manager/configmap.yaml b/build/charts/theia/templates/theia-manager/configmap.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: theia-manager-configmap
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: theia-manager
+data:
+{{ tpl (.Files.Glob "conf/*").AsConfig . | indent 2 | replace "  \n" "\n" }}
+{{- end }}
diff --git a/build/charts/theia/templates/theia-manager/deployment.yaml b/build/charts/theia/templates/theia-manager/deployment.yaml
@@ -0,0 +1,64 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: theia-manager
+  template:
+    metadata:
+      labels:
+        app: theia-manager
+    spec:
+      containers:
+        - name: theia-manager
+          image: {{ include "theiaManagerImage" . | quote }}
+          imagePullPolicy: {{ .Values.theiaManager.image.pullPolicy }}
+          args:
+            - --config
+            - /etc/theia-manager/theia-manager.conf
+            - --logtostderr=false
+            - --log_dir=/var/log/antrea/theia-manager
+            - --alsologtostderr
+            - --log_file_max_size=100
+            - --log_file_max_num=4
+            {{- if .Values.theiaManager.logVerbosity }}
+            - "--v={{ .Values.theiaManager.logVerbosity }}"
+            {{- end }}
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          ports:
+            - name: "theia-api-http"
+              containerPort: {{ .Values.theiaManager.apiServer.apiPort }}
+          volumeMounts:
+            - mountPath: /etc/theia-manager
+              name: theia-manager-config
+              readOnly: true
+            - mountPath: /var/log/antrea/theia-manager
+              name: host-var-log-antrea-theia-manager
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+      serviceAccountName: theia-manager
+      volumes:
+        - name: theia-manager-config
+          configMap:
+            name: theia-manager-configmap
+        - name: host-var-log-antrea-theia-manager
+          hostPath:
+            path: /var/log/antrea/theia-manager
+            type: DirectoryOrCreate
+{{- end }}
diff --git a/build/charts/theia/templates/theia-manager/service.yaml b/build/charts/theia/templates/theia-manager/service.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - port: {{ .Values.theiaManager.apiServer.apiPort }}
+      protocol: TCP
+      targetPort: theia-api-http
+  selector:
+    app: theia-manager
+{{- end }}
diff --git a/build/charts/theia/templates/theia-manager/serviceaccount.yaml b/build/charts/theia/templates/theia-manager/serviceaccount.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/build/charts/theia/values.yaml b/build/charts/theia/values.yaml
@@ -201,3 +201,22 @@ sparkOperator:
     repository: "projects.registry.vmware.com/antrea/theia-spark-operator"
     pullPolicy: "IfNotPresent"
     tag: "v1beta2-1.3.3-3.1.1"
+theiaManager:
+  # -- Determine whether to install Theia Manager.
+  enable: false
+  # -- Container image used by Theia Manager.
+  image:
+    repository: "projects.registry.vmware.com/antrea/theia-manager"
+    pullPolicy: "IfNotPresent"
+    tag: ""
+  # apiServer contains APIServer related configuration options.
+  apiServer:
+    # -- The port for the Theia Manager APIServer to serve on.
+    apiPort: 11347
+    # -- Comma-separated list of cipher suites that will be used by the Theia Manager
+    # APIservers. If empty, the default Go Cipher Suites will be used.
+    tlsCipherSuites: ""
+    # -- TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    tlsMinVersion: ""
+  ## -- Log verbosity switch for Theia Manager.
+  logVerbosity: 0
diff --git a/build/images/Dockerfile.theia-manager.ubuntu b/build/images/Dockerfile.theia-manager.ubuntu
@@ -0,0 +1,17 @@
+ARG GO_VERSION
+FROM golang:${GO_VERSION} as theia-manager-build
+
+COPY . /theia
+WORKDIR /theia
+
+RUN make theia-manager-bin
+
+# Chose this base image so that a shell is available for users to exec into the container
+FROM ubuntu:20.04
+
+LABEL maintainer="Antrea <projectantrea-dev@googlegroups.com>"
+LABEL description="A docker image to deploy theia manager."
+
+COPY --from=theia-manager-build /theia/bin/theia-manager /
+
+ENTRYPOINT ["/theia-manager"]
diff --git a/cmd/theia-manager/main.go b/cmd/theia-manager/main.go
@@ -0,0 +1,60 @@
+// Copyright 2022 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package main under directory cmd parses and validates user input,
+// instantiates and initializes objects imported from pkg, and runs
+// the process.
+package main
+
+import (
+	"os"
+
+	"antrea.io/antrea/pkg/log"
+	"github.com/spf13/cobra"
+	"k8s.io/klog/v2"
+)
+
+func main() {
+	command := newTheiaManagerCommand()
+	if err := command.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
+
+func newTheiaManagerCommand() *cobra.Command {
+	opts := newOptions()
+
+	cmd := &cobra.Command{
+		Use:  "theia-manager",
+		Long: "The Theia Manager.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.InitLogs(cmd.Flags())
+			defer log.FlushLogs()
+			if err := opts.complete(args); err != nil {
+				klog.Fatalf("Failed to complete args: %v", err)
+			}
+			if err := opts.validate(args); err != nil {
+				klog.Fatalf("Failed to validate args: %v", err)
+			}
+			if err := run(opts); err != nil {
+				klog.Fatalf("Error running theia manager: %v", err)
+			}
+		},
+	}
+
+	flags := cmd.Flags()
+	opts.addFlags(flags)
+	log.AddFlags(flags)
+	return cmd
+}