Add Thiea Manager with basic functionality

Makefile

@@ -163,6 +163,19 @@ clickhouse-monitor-plugin:
 	@mkdir -p $(BINDIR)
 	GOOS=linux $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/theia/plugins/clickhouse-monitor
 
+.PHONY: theia-manager
+theia-manager:
+	@echo "===> Building antrea/theia-manager Docker image <==="
+	docker build --pull -t antrea/theia-manager:$(DOCKER_IMG_VERSION) -f build/images/Dockerfile.theia-manager.ubuntu $(DOCKER_BUILD_ARGS) .
+	docker tag antrea/theia-manager:$(DOCKER_IMG_VERSION) antrea/theia-manager
+	docker tag antrea/theia-manager:$(DOCKER_IMG_VERSION) projects.registry.vmware.com/antrea/theia-manager
+	docker tag antrea/theia-manager:$(DOCKER_IMG_VERSION) projects.registry.vmware.com/antrea/theia-manager:$(DOCKER_IMG_VERSION)
+
+.PHONY: theia-manager-bin
+theia-manager-bin:
+	@mkdir -p $(BINDIR)
+	GOOS=linux $(GO) build -o $(BINDIR) $(GOFLAGS) -ldflags '$(LDFLAGS)' antrea.io/theia/cmd/theia-manager
+
 .PHONY: policy-recommendation
 policy-recommendation:
 	@echo "===> Building antrea/theia-policy-recommendation Docker image <==="

build/charts/theia/README.md

@@ -62,6 +62,12 @@ Kubernetes: `>= 1.16.0-0`
 | sparkOperator.enable | bool | `false` | Determine whether to install Spark Operator. It is required to run Network Policy Recommendation jobs. |
 | sparkOperator.image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/theia-spark-operator","tag":"v1beta2-1.3.3-3.1.1"}` | Container image used by Spark Operator. |
 | sparkOperator.name | string | `"policy-recommendation"` | Name of Spark Operator. |
+| theiaManager.apiServer.apiPort | int | `11347` | The port for the Theia Manager APIServer to serve on. |
+| theiaManager.apiServer.tlsCipherSuites | string | `""` | Comma-separated list of cipher suites that will be used by the Theia Manager APIservers. If empty, the default Go Cipher Suites will be used. |
+| theiaManager.apiServer.tlsMinVersion | string | `""` | TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. |
+| theiaManager.enable | bool | `false` | Determine whether to install Theia Manager. |
+| theiaManager.image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/theia-manager","tag":""}` | Container image used by Theia Manager. |
+| theiaManager.logVerbosity | int | `0` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0)

build/charts/theia/conf/theia-manager.conf

@@ -0,0 +1,13 @@
+# apiServer contains APIServer related configuration options.
+apiServer:
+  # The port for the theia-manager APIServer to serve on.
+  apiPort: {{ .Values.theiaManager.apiServer.apiPort }}
+
+  # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+  # https://golang.org/pkg/crypto/tls/#pkg-constants
+  # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+  # prefer TLS1.3 Cipher Suites whenever possible.
+  tlsCipherSuites: {{ .Values.theiaManager.apiServer.tlsCipherSuites | quote }}
+
+  # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+  tlsMinVersion: {{ .Values.theiaManager.apiServer.tlsMinVersion | quote }}

build/charts/theia/crds/network-policy-recommendation-crd.yaml

@@ -0,0 +1,72 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: networkpolicyrecommendations.crd.theia.antrea.io
+  labels:
+    app: theia
+spec:
+  group: crd.theia.antrea.io
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          type: object
+          required:
+            - spec
+          properties:
+            spec:
+              type: object
+              required:
+                - jobType
+              properties:
+                jobType:
+                  type: string
+                limit:
+                  type: integer
+                policyType:
+                  type: string
+                startTime:
+                  type: string
+                  format: datetime
+                endTime:
+                  type: string
+                  format: datetime
+                nsAllowList:
+                  type: array
+                  items:
+                    type: string
+                excludeLabels:
+                  type: boolean
+                toServices:
+                  type: boolean
+                executorInstances:
+                  type: integer
+                driverCoreRequest:
+                  type: string
+                driverMemory:
+                  type: string
+                executorCoreRequest:
+                  type: string
+                executorMemory:
+                  type: string
+            status:
+              type: object
+              properties:
+                state:
+                  type: string
+      additionalPrinterColumns:
+        - description: Current state of the job
+          jsonPath: .status.state
+          name: State
+          type: string
+      subresources:
+        status: {}
+  scope: Namespaced
+  names:
+    plural: networkpolicyrecommendations
+    singular: networkpolicyrecommendation
+    kind: NetworkPolicyRecommendation
+    shortNames:
+      - npr

build/charts/theia/templates/_helpers.tpl

@@ -93,3 +93,17 @@
 {{- define "clickHouseMonitorImage" -}}
 {{- print .clickhouse.monitor.image.repository ":" (include "clickHouseMonitorImageTag" .) -}}
 {{- end -}}
+
+{{- define "theiaManagerImageTag" -}}
+{{- if .Values.theiaManager.image.tag }}
+{{- .Values.theiaManager.image.tag -}}
+{{- else if eq .Chart.AppVersion "latest" }}
+{{- print "latest" -}}
+{{- else }}
+{{- print "v" .Chart.AppVersion -}}
+{{- end }}
+{{- end -}}
+
+{{- define "theiaManagerImage" -}}
+{{- print .Values.theiaManager.image.repository ":" (include "theiaManagerImageTag" .) -}}
+{{- end -}}

build/charts/theia/templates/theia-manager/clusterrole.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.theiaManager.enable }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager-role
+rules:
+  # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+  # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
+  # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+  # See https://github.com/kubernetes/kubernetes/pull/85375
+  # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+  # the extension-apiserver-authentication role.
+  - apiGroups: [""]
+    resourceNames: ["extension-apiserver-authentication"]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["crd.theia.antrea.io"]
+    resources: ["networkpolicyrecommendations"]
+    verbs: ["get", "list", "watch"]
+{{- end }}

build/charts/theia/templates/theia-manager/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.theiaManager.enable }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager-cluster-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: theia-manager
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: theia-manager-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

build/charts/theia/templates/theia-manager/configmap.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: theia-manager-configmap
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: theia-manager
+data:
+{{ tpl (.Files.Glob "conf/*").AsConfig . | indent 2 | replace "  \n" "\n" }}
+{{- end }}

build/charts/theia/templates/theia-manager/deployment.yaml

@@ -0,0 +1,64 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: theia-manager
+  template:
+    metadata:
+      labels:
+        app: theia-manager
+    spec:
+      containers:
+        - name: theia-manager
+          image: {{ include "theiaManagerImage" . | quote }}
+          imagePullPolicy: {{ .Values.theiaManager.image.pullPolicy }}
+          args:
+            - --config
+            - /etc/theia-manager/theia-manager.conf
+            - --logtostderr=false
+            - --log_dir=/var/log/antrea/theia-manager
+            - --alsologtostderr
+            - --log_file_max_size=100
+            - --log_file_max_num=4
+            {{- if .Values.theiaManager.logVerbosity }}
+            - "--v={{ .Values.theiaManager.logVerbosity }}"
+            {{- end }}
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          ports:
+            - name: "theia-api-http"
+              containerPort: {{ .Values.theiaManager.apiServer.apiPort }}
+          volumeMounts:
+            - mountPath: /etc/theia-manager
+              name: theia-manager-config
+              readOnly: true
+            - mountPath: /var/log/antrea/theia-manager
+              name: host-var-log-antrea-theia-manager
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+      serviceAccountName: theia-manager
+      volumes:
+        - name: theia-manager-config
+          configMap:
+            name: theia-manager-configmap
+        - name: host-var-log-antrea-theia-manager
+          hostPath:
+            path: /var/log/antrea/theia-manager
+            type: DirectoryOrCreate
+{{- end }}

build/charts/theia/templates/theia-manager/service.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - port: {{ .Values.theiaManager.apiServer.apiPort }}
+      protocol: TCP
+      targetPort: theia-api-http
+  selector:
+    app: theia-manager
+{{- end }}

build/charts/theia/templates/theia-manager/serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.theiaManager.enable }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: theia-manager
+  name: theia-manager
+  namespace: {{ .Release.Namespace }}
+{{- end }}

build/charts/theia/values.yaml

@@ -198,3 +198,22 @@ sparkOperator:
     repository: "projects.registry.vmware.com/antrea/theia-spark-operator"
     pullPolicy: "IfNotPresent"
     tag: "v1beta2-1.3.3-3.1.1"
+theiaManager:
+  # -- Determine whether to install Theia Manager.
+  enable: false
+  # -- Container image used by Theia Manager.
+  image:
+    repository: "projects.registry.vmware.com/antrea/theia-manager"
+    pullPolicy: "IfNotPresent"
+    tag: ""
+  # apiServer contains APIServer related configuration options.
+  apiServer:
+    # -- The port for the Theia Manager APIServer to serve on.
+    apiPort: 11347
+    # -- Comma-separated list of cipher suites that will be used by the Theia Manager
+    # APIservers. If empty, the default Go Cipher Suites will be used.
+    tlsCipherSuites: ""
+    # -- TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+    tlsMinVersion: ""
+  ## -- Log verbosity switch for Theia Manager.
+  logVerbosity: 0

build/images/Dockerfile.theia-manager.ubuntu

@@ -0,0 +1,17 @@
+ARG GO_VERSION
+FROM golang:${GO_VERSION} as theia-manager-build
+
+COPY . /theia
+WORKDIR /theia
+
+RUN make theia-manager-bin
+
+# Chose this base image so that a shell is available for users to exec into the container
+FROM ubuntu:20.04
+
+LABEL maintainer="Antrea <projectantrea-dev@googlegroups.com>"
+LABEL description="A docker image to deploy theia manager."
+
+COPY --from=theia-manager-build /theia/bin/theia-manager /
+
+ENTRYPOINT ["/theia-manager"]

cmd/theia-manager/main.go

@@ -0,0 +1,60 @@
+// Copyright 2022 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package main under directory cmd parses and validates user input,
+// instantiates and initializes objects imported from pkg, and runs
+// the process.
+package main
+
+import (
+	"os"
+
+	"antrea.io/antrea/pkg/log"
+	"github.com/spf13/cobra"
+	"k8s.io/klog/v2"
+)
+
+func main() {
+	command := newTheiaManagerCommand()
+	if err := command.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
+
+func newTheiaManagerCommand() *cobra.Command {
+	opts := newOptions()
+
+	cmd := &cobra.Command{
+		Use:  "theia-manager",
+		Long: "The Theia Manager.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.InitLogs(cmd.Flags())
+			defer log.FlushLogs()
+			if err := opts.complete(args); err != nil {
+				klog.Fatalf("Failed to complete args: %v", err)
+			}
+			if err := opts.validate(args); err != nil {
+				klog.Fatalf("Failed to validate args: %v", err)
+			}
+			if err := run(opts); err != nil {
+				klog.Fatalf("Error running theia manager: %v", err)
+			}
+		},
+	}
+
+	flags := cmd.Flags()
+	opts.addFlags(flags)
+	log.AddFlags(flags)
+	return cmd
+}