Add Theia Manager API Server

This change adds the following:
1. API server setup and config
2. sample REST endpoint apis/intelligence.theia.antrea.io/v1alpha1/networkpolicyrecommendations
3. codegen scripts for API server
4. helm charts for theia Manager and API server config values

Signed-off-by: Shawn Wang <wshaoquan@vmware.com>

Makefile

@@ -163,6 +163,19 @@ clickhouse-monitor-plugin:
 	@mkdir -p $(BINDIR)
 	GOOS=linux $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/theia/plugins/clickhouse-monitor
 
+.PHONY: theia-manager
+theia-manager:
+	@echo "===> Building antrea/theia-manager Docker image <==="
+	docker build --pull -t antrea/theia-manager:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.theia-manager.ubuntu $(DOCKER_BUILD_ARGS) .
+	docker tag antrea/theia-manager:$(DOCKER_IMG_VERSION) antrea/theia-manager
+	docker tag antrea/theia-manager:$(DOCKER_IMG_VERSION) projects.registry.vmware.com/antrea/theia-manager
+	docker tag antrea/theia-manager:$(DOCKER_IMG_VERSION) projects.registry.vmware.com/antrea/theia-manager:$(DOCKER_IMG_VERSION)
+
+.PHONY: theia-manager-bin
+theia-manager-bin:
+	@mkdir -p $(BINDIR)
+	GOOS=linux $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/theia/cmd/theia-manager
+
 .PHONY: policy-recommendation
 policy-recommendation:
 	@echo "===> Building antrea/theia-policy-recommendation Docker image <==="

build/charts/theia/README.md

@@ -62,6 +62,12 @@ Kubernetes: `>= 1.16.0-0`
 | sparkOperator.enable | bool | `false` | Determine whether to install Spark Operator. It is required to run Network Policy Recommendation jobs. |
 | sparkOperator.image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/theia-spark-operator","tag":"v1beta2-1.3.3-3.1.1"}` | Container image used by Spark Operator. |
 | sparkOperator.name | string | `"policy-recommendation"` | Name of Spark Operator. |
+| theiaManager.apiServer.apiPort | int | `11347` | The port for the Flow Aggregator APIServer to serve on. |
+| theiaManager.apiServer.tlsCipherSuites | string | `""` | Comma-separated list of cipher suites that will be used by the Theia Manager APIservers. If empty, the default Go Cipher Suites will be used. |
+| theiaManager.apiServer.tlsMinVersion | string | `""` | TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. |
+| theiaManager.enable | bool | `false` | Determine whether to install Theia Manager. |
+| theiaManager.image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/theia-manager","tag":""}` | Container image used by Theia Manager. |
+| theiaManager.logVerbosity | int | `0` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0)

build/charts/theia/conf/theia-manager.conf

@@ -0,0 +1,13 @@
+# apiServer contains APIServer related configuration options.
+apiServer:
+  # The port for the flow-aggregator APIServer to serve on.
+  apiPort: {{ .Values.theiaManager.apiServer.apiPort }}
+
+  # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+  # https://golang.org/pkg/crypto/tls/#pkg-constants
+  # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+  # prefer TLS1.3 Cipher Suites whenever possible.
+  tlsCipherSuites: {{ .Values.theiaManager.apiServer.tlsCipherSuites | quote }}
+
+  # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+  tlsMinVersion: {{ .Values.theiaManager.apiServer.tlsMinVersion | quote }}

build/charts/theia/templates/_helpers.tpl

@@ -93,3 +93,17 @@
 {{- define "clickHouseMonitorImage" -}}
 {{- print .clickhouse.monitor.image.repository ":" (include "clickHouseMonitorImageTag" .) -}}
 {{- end -}}
+
+{{- define "theiaManagerImageTag" -}}
+{{- if .Values.theiaManager.image.tag }}
+{{- .Values.theiaManager.image.tag -}}
+{{- else if eq .Chart.AppVersion "latest" }}
+{{- print "latest" -}}
+{{- else }}
+{{- print "v" .Chart.AppVersion -}}
+{{- end }}
+{{- end -}}
+
+{{- define "theiaManagerImage" -}}
+{{- print .Values.theiaManager.image.repository ":" (include "theiaManagerImageTag" .) -}}
+{{- end -}}

build/charts/theia/templates/theia-manager/clusterrole.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.theiaManager.enable }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager-role
+rules:
+  # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+  # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
+  # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+  # See https://github.com/kubernetes/kubernetes/pull/85375
+  # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+  # the extension-apiserver-authentication role.
+  - apiGroups: [""]
+    resourceNames: ["extension-apiserver-authentication"]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+{{- end }}

build/charts/theia/templates/theia-manager/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.theiaManager.enable }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager-cluster-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: theia-manager
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: theia-manager-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

build/charts/theia/templates/theia-manager/configmap.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: theia-manager-configmap
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: theia-manager
+data:
+{{ tpl (.Files.Glob "conf/*").AsConfig . | indent 2 | replace "  \n" "\n" }}
+{{- end }}

build/charts/theia/templates/theia-manager/deployment.yaml

@@ -0,0 +1,64 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: theia-manager
+  template:
+    metadata:
+      labels:
+        app: theia-manager
+    spec:
+      containers:
+        - name: theia-manager
+          image: {{ include "theiaManagerImage" . | quote }}
+          imagePullPolicy: {{ .Values.theiaManager.image.pullPolicy }}
+          args:
+            - --config
+            - /etc/theia-manager/theia-manager.conf
+            - --logtostderr=false
+            - --log_dir=/var/log/antrea/theia-manager
+            - --alsologtostderr
+            - --log_file_max_size=100
+            - --log_file_max_num=4
+          {{- if .Values.theiaManager.logVerbosity }}
+          - "--v={{ .Values.logVerbosity }}"
+          {{- end }}
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          ports:
+            - name: "theia-api-http"
+              containerPort: {{ .Values.theiaManager.apiServer.apiPort }}
+          volumeMounts:
+            - mountPath: /etc/theia-manager
+              name: theia-manager-config
+              readOnly: true
+            - mountPath: /var/log/antrea/theia-manager
+              name: host-var-log-antrea-theia-manager
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+      serviceAccountName: theia-manager
+      volumes:
+        - name: theia-manager-config
+          configMap:
+            name: theia-manager-configmap
+        - name: host-var-log-antrea-theia-manager
+          hostPath:
+            path: /var/log/antrea/theia-manager
+            type: DirectoryOrCreate
+{{- end }}

build/charts/theia/templates/theia-manager/service.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - port: {{ .Values.theiaManager.apiServer.apiPort }}
+      protocol: TCP
+      targetPort: theia-api-http
+  selector:
+    app: theia-manager
+{{- end }}

build/charts/theia/templates/theia-manager/serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager
+  namespace: {{ .Release.Namespace }}
+{{- end }}

build/charts/theia/values.yaml

@@ -198,3 +198,22 @@ sparkOperator:
     repository: "projects.registry.vmware.com/antrea/theia-spark-operator"
     pullPolicy: "IfNotPresent"
     tag: "v1beta2-1.3.3-3.1.1"
+theiaManager:
+  # -- Determine whether to install Theia Manager.
+  enable: false
+  # -- Container image used by Theia Manager.
+  image:
+    repository: "projects.registry.vmware.com/antrea/theia-manager"
+    pullPolicy: "IfNotPresent"
+    tag: ""
+  # apiServer contains APIServer related configuration options.
+  apiServer:
+    # -- The port for the Flow Aggregator APIServer to serve on.
+    apiPort: 11347
+    # -- Comma-separated list of cipher suites that will be used by the Theia Manager
+    # APIservers. If empty, the default Go Cipher Suites will be used.
+    tlsCipherSuites: ""
+    # -- TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    tlsMinVersion: ""
+  ## -- Log verbosity switch for Theia Manager.
+  logVerbosity: 0

build/images/Dockerfile.theia-manager.ubuntu

@@ -0,0 +1,20 @@
+ARG GO_VERSION
+FROM golang:${GO_VERSION} as theia-manager-build
+
+COPY . /theia
+WORKDIR /theia
+
+# Statically links theia-manager binary.
+RUN CGO_ENABLED=0 make theia-manager-bin
+
+# Chose this base image so that a shell is available for users to exec into the container
+FROM ubuntu:20.04
+
+LABEL maintainer="Antrea <projectantrea-dev@googlegroups.com>"
+LABEL description="A docker image to deploy theia manager."
+
+ENV USER root
+
+COPY --from=theia-manager-build /theia/bin/theia-manager /
+
+ENTRYPOINT ["/theia-manager"]

cmd/theia-manager/main.go

@@ -0,0 +1,60 @@
+// Copyright 2022 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package main under directory cmd parses and validates user input,
+// instantiates and initializes objects imported from pkg, and runs
+// the process.
+package main
+
+import (
+	"os"
+
+	"antrea.io/antrea/pkg/log"
+	"github.com/spf13/cobra"
+	"k8s.io/klog/v2"
+)
+
+func main() {
+	command := newTheiaManagerCommand()
+	if err := command.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
+
+func newTheiaManagerCommand() *cobra.Command {
+	opts := newOptions()
+
+	cmd := &cobra.Command{
+		Use:  "theia-manager",
+		Long: "The Theia Manager.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.InitLogs(cmd.Flags())
+			defer log.FlushLogs()
+			if err := opts.complete(args); err != nil {
+				klog.Fatalf("Failed to complete args: %v", err)
+			}
+			if err := opts.validate(args); err != nil {
+				klog.Fatalf("Failed to validate args: %v", err)
+			}
+			if err := run(opts); err != nil {
+				klog.Fatalf("Error running theia manager: %v", err)
+			}
+		},
+	}
+
+	flags := cmd.Flags()
+	opts.addFlags(flags)
+	log.AddFlags(flags)
+	return cmd
+}

cmd/theia-manager/options.go

@@ -0,0 +1,84 @@
+// Copyright 2022 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"errors"
+	"io/ioutil"
+
+	"github.com/spf13/pflag"
+	"gopkg.in/yaml.v2"
+
+	"antrea.io/theia/pkg/apis"
+	managerconfig "antrea.io/theia/pkg/config/theiamanager"
+)
+
+type Options struct {
+	// The path of configuration file.
+	configFile string
+	// The configuration object
+	config *managerconfig.TheiaManagerConfig
+}
+
+func newOptions() *Options {
+	return &Options{
+		config: &managerconfig.TheiaManagerConfig{},
+	}
+}
+
+// addFlags adds flags to fs and binds them to options.
+func (o *Options) addFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&o.configFile, "config", o.configFile, "The path to the configuration file")
+}
+
+// complete completes all the required options.
+func (o *Options) complete(args []string) error {
+	if len(o.configFile) > 0 {
+		c, err := o.loadConfigFromFile(o.configFile)
+		if err != nil {
+			return err
+		}
+		o.config = c
+		o.setDefaults()
+	}
+	return nil
+}
+
+// validate validates all the required options.
+func (o *Options) validate(args []string) error {
+	if len(args) != 0 {
+		return errors.New("no positional arguments are supported")
+	}
+	return nil
+}
+
+func (o *Options) loadConfigFromFile(file string) (*managerconfig.TheiaManagerConfig, error) {
+	data, err := ioutil.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	c := managerconfig.TheiaManagerConfig{}
+	err = yaml.UnmarshalStrict(data, &c)
+	if err != nil {
+		return nil, err
+	}
+	return &c, nil
+}
+
+func (o *Options) setDefaults() {
+	if o.config.APIServer.APIPort == 0 {
+		o.config.APIServer.APIPort = apis.TheiaManagerAPIPort
+	}
+}