Merge branch 'main' into bidirection

.github/workflows/conformance.yml

@@ -1,4 +1,4 @@
-name: Manually run upstream conformance test on Linux
+name: Run upstream conformance tests on Linux
 run-name: Run ${{ inputs.test-suite }} test with Antrea ${{ inputs.antrea-version }} and K8s ${{ inputs.k8s-version }}
 
 on:

build/charts/antrea/README.md

@@ -55,6 +55,7 @@ Kubernetes: `>= 1.19.0-0`
 | agent.updateStrategy | object | `{"type":"RollingUpdate"}` | Update strategy for the antrea-agent DaemonSet. |
 | agentImage | object | `{"pullPolicy":"IfNotPresent","repository":"antrea/antrea-agent-ubuntu","tag":""}` | Container image to use for the antrea-agent component. |
 | antreaProxy.defaultLoadBalancerMode | string | `"nat"` | Determines how external traffic is processed when it's load balanced across Nodes by default. It must be one of "nat" or "dsr". |
+| antreaProxy.disableServiceHealthCheckServer | bool | `false` | Disables the health check server run by Antrea Proxy, which provides health information about Services of type LoadBalancer with externalTrafficPolicy set to Local, when proxyAll is enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed. |
 | antreaProxy.enable | bool | `true` | To disable AntreaProxy, set this to false. |
 | antreaProxy.nodePortAddresses | list | `[]` | String array of values which specifies the host IPv4/IPv6 addresses for NodePort. By default, all host addresses are used. |
 | antreaProxy.proxyAll | bool | `false` | Proxy all Service traffic, for all Service types, regardless of where it comes from. |

build/charts/antrea/conf/antrea-agent.conf

@@ -411,6 +411,11 @@ antreaProxy:
   #                  can reply to clients directly, bypassing the ingress Node.
   # A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`.
   defaultLoadBalancerMode: {{ .defaultLoadBalancerMode | quote }}
+  # Disables the health check server run by Antrea Proxy, which provides health information about
+  # Services of type LoadBalancer with externalTrafficPolicy set to Local, when proxyAll is
+  # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
+  # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
+  disableServiceHealthCheckServer: {{ .disableServiceHealthCheckServer }}
 {{- end }}
 
 # IPsec tunnel related configurations.

build/charts/antrea/crds/bgppolicy.yaml

@@ -55,6 +55,21 @@ spec:
                   minimum: 1
                   maximum: 65535
                   default: 179
+                confederation:
+                  type: object
+                  properties:
+                    identifier:
+                      type: integer
+                      format: int32
+                      minimum: 1
+                      maximum: 65535
+                    memberASNs:
+                      type: array
+                      items:
+                        type: integer
+                        format: int32
+                        minimum: 1
+                        maximum: 65535
                 advertisements:
                   type: object
                   properties:

build/charts/antrea/values.yaml

@@ -153,6 +153,12 @@ antreaProxy:
   # -- Determines how external traffic is processed when it's load balanced
   # across Nodes by default. It must be one of "nat" or "dsr".
   defaultLoadBalancerMode: "nat"
+  # -- Disables the health check server run by Antrea Proxy, which provides health
+  # information about Services of type LoadBalancer with externalTrafficPolicy set to
+  # Local, when proxyAll is enabled. This avoids race conditions between kube-proxy
+  # and Antrea proxy, with both trying to bind to the same addresses, when proxyAll
+  # is enabled while kube-proxy has not been removed.
+  disableServiceHealthCheckServer: false
 
 nodeIPAM:
   # -- Enable Node IPAM in Antrea

build/charts/flow-aggregator/README.md

@@ -50,6 +50,7 @@ Kubernetes: `>= 1.19.0-0`
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"antrea/flow-aggregator","tag":""}` | Container image used by Flow Aggregator. |
 | inactiveFlowRecordTimeout | string | `"90s"` | Provide the inactive flow record timeout as a duration string. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
 | logVerbosity | int | `0` | Log verbosity switch for Flow Aggregator. |
+| mode | string | `"Aggregate"` | Mode in which to run the flow aggregator. Must be one of "Aggregate" or "Proxy". In Aggregate mode, flow records received from source and destination are aggregated and sent as one flow record. In Proxy mode, flow records are enhanced with some additional information, then sent directly without buffering or aggregation. |
 | recordContents.podLabels | bool | `false` | Determine whether source and destination Pod labels will be included in the flow records. |
 | s3Uploader.awsCredentials | object | `{"aws_access_key_id":"changeme","aws_secret_access_key":"changeme","aws_session_token":""}` | Credentials to authenticate to AWS. They will be stored in a Secret and injected into the Pod as environment variables. |
 | s3Uploader.bucketName | string | `""` | BucketName is the name of the S3 bucket to which flow records will be uploaded. It is required. |

build/charts/flow-aggregator/conf/flow-aggregator.conf

@@ -1,3 +1,9 @@
+# Mode in which to run the flow aggregator. Must be one of "Aggregate" or "Proxy". In Aggregate
+# mode, flow records received from source and destination are aggregated and sent as one flow
+# record. In Proxy mode, flow records are enhanced with some additional information, then sent
+# directly without buffering or aggregation.
+mode: {{ .Values.mode }}
+
 # Provide the active flow record timeout as a duration string. This determines
 # how often the flow aggregator exports the active flow records to the flow
 # collector. Thus, for flows with a continuous stream of packets, a flow record

build/charts/flow-aggregator/values.yaml

@@ -4,6 +4,11 @@ image:
   pullPolicy: "IfNotPresent"
   tag: ""
 
+# -- Mode in which to run the flow aggregator. Must be one of "Aggregate" or "Proxy". In Aggregate
+# mode, flow records received from source and destination are aggregated and sent as one flow
+# record. In Proxy mode, flow records are enhanced with some additional information, then sent
+# directly without buffering or aggregation.
+mode: "Aggregate"
 # -- Provide the active flow record timeout as a duration string.
 # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
 activeFlowRecordTimeout: 60s

build/yamls/antrea-aks.yml

@@ -359,6 +359,21 @@ spec:
                   minimum: 1
                   maximum: 65535
                   default: 179
+                confederation:
+                  type: object
+                  properties:
+                    identifier:
+                      type: integer
+                      format: int32
+                      minimum: 1
+                      maximum: 65535
+                    memberASNs:
+                      type: array
+                      items:
+                        type: integer
+                        format: int32
+                        minimum: 1
+                        maximum: 65535
                 advertisements:
                   type: object
                   properties:
@@ -4333,6 +4348,11 @@ data:
       #                  can reply to clients directly, bypassing the ingress Node.
       # A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`.
       defaultLoadBalancerMode: "nat"
+      # Disables the health check server run by Antrea Proxy, which provides health information about
+      # Services of type LoadBalancer with externalTrafficPolicy set to Local, when proxyAll is
+      # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
+      # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
+      disableServiceHealthCheckServer: false
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -5409,7 +5429,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: f7ac1903ae9edfd45361cb67b991cb23f708f15cb5cb862bffd70e95dcd776fb
+        checksum/config: e9ed628a60f731498979612c9d28080dc89b4f54b1dcbb5e86fce29df7c482f1
       labels:
         app: antrea
         component: antrea-agent
@@ -5653,7 +5673,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: f7ac1903ae9edfd45361cb67b991cb23f708f15cb5cb862bffd70e95dcd776fb
+        checksum/config: e9ed628a60f731498979612c9d28080dc89b4f54b1dcbb5e86fce29df7c482f1
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-crds.yml

@@ -354,6 +354,21 @@ spec:
                   minimum: 1
                   maximum: 65535
                   default: 179
+                confederation:
+                  type: object
+                  properties:
+                    identifier:
+                      type: integer
+                      format: int32
+                      minimum: 1
+                      maximum: 65535
+                    memberASNs:
+                      type: array
+                      items:
+                        type: integer
+                        format: int32
+                        minimum: 1
+                        maximum: 65535
                 advertisements:
                   type: object
                   properties:

build/yamls/antrea-eks.yml

@@ -359,6 +359,21 @@ spec:
                   minimum: 1
                   maximum: 65535
                   default: 179
+                confederation:
+                  type: object
+                  properties:
+                    identifier:
+                      type: integer
+                      format: int32
+                      minimum: 1
+                      maximum: 65535
+                    memberASNs:
+                      type: array
+                      items:
+                        type: integer
+                        format: int32
+                        minimum: 1
+                        maximum: 65535
                 advertisements:
                   type: object
                   properties:
@@ -4333,6 +4348,11 @@ data:
       #                  can reply to clients directly, bypassing the ingress Node.
       # A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`.
       defaultLoadBalancerMode: "nat"
+      # Disables the health check server run by Antrea Proxy, which provides health information about
+      # Services of type LoadBalancer with externalTrafficPolicy set to Local, when proxyAll is
+      # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
+      # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
+      disableServiceHealthCheckServer: false
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -5409,7 +5429,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: f7ac1903ae9edfd45361cb67b991cb23f708f15cb5cb862bffd70e95dcd776fb
+        checksum/config: e9ed628a60f731498979612c9d28080dc89b4f54b1dcbb5e86fce29df7c482f1
       labels:
         app: antrea
         component: antrea-agent
@@ -5654,7 +5674,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: f7ac1903ae9edfd45361cb67b991cb23f708f15cb5cb862bffd70e95dcd776fb
+        checksum/config: e9ed628a60f731498979612c9d28080dc89b4f54b1dcbb5e86fce29df7c482f1
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -359,6 +359,21 @@ spec:
                   minimum: 1
                   maximum: 65535
                   default: 179
+                confederation:
+                  type: object
+                  properties:
+                    identifier:
+                      type: integer
+                      format: int32
+                      minimum: 1
+                      maximum: 65535
+                    memberASNs:
+                      type: array
+                      items:
+                        type: integer
+                        format: int32
+                        minimum: 1
+                        maximum: 65535
                 advertisements:
                   type: object
                   properties:
@@ -4333,6 +4348,11 @@ data:
       #                  can reply to clients directly, bypassing the ingress Node.
       # A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`.
       defaultLoadBalancerMode: "nat"
+      # Disables the health check server run by Antrea Proxy, which provides health information about
+      # Services of type LoadBalancer with externalTrafficPolicy set to Local, when proxyAll is
+      # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
+      # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
+      disableServiceHealthCheckServer: false
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -5409,7 +5429,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 00ba3a60f132691721ba2e84c5c8f0a9eddc32593b38798de8f59d52fff54169
+        checksum/config: adf1e0f238974d7f83bd321a403f1613ae7e695f06b5366cee645a39141872db
       labels:
         app: antrea
         component: antrea-agent
@@ -5651,7 +5671,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 00ba3a60f132691721ba2e84c5c8f0a9eddc32593b38798de8f59d52fff54169
+        checksum/config: adf1e0f238974d7f83bd321a403f1613ae7e695f06b5366cee645a39141872db
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -359,6 +359,21 @@ spec:
                   minimum: 1
                   maximum: 65535
                   default: 179
+                confederation:
+                  type: object
+                  properties:
+                    identifier:
+                      type: integer
+                      format: int32
+                      minimum: 1
+                      maximum: 65535
+                    memberASNs:
+                      type: array
+                      items:
+                        type: integer
+                        format: int32
+                        minimum: 1
+                        maximum: 65535
                 advertisements:
                   type: object
                   properties:
@@ -4346,6 +4361,11 @@ data:
       #                  can reply to clients directly, bypassing the ingress Node.
       # A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`.
       defaultLoadBalancerMode: "nat"
+      # Disables the health check server run by Antrea Proxy, which provides health information about
+      # Services of type LoadBalancer with externalTrafficPolicy set to Local, when proxyAll is
+      # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
+      # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
+      disableServiceHealthCheckServer: false
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -5422,7 +5442,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4b9bbfbbda1ab405ade14e797ea88fbd6f3795bb6aae9df0496409d542799145
+        checksum/config: 9b14e08a59181e975a2326f4ef4a7c55a1640027bda93ad0ee09fe2ef18b7491
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -5710,7 +5730,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 4b9bbfbbda1ab405ade14e797ea88fbd6f3795bb6aae9df0496409d542799145
+        checksum/config: 9b14e08a59181e975a2326f4ef4a7c55a1640027bda93ad0ee09fe2ef18b7491
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -359,6 +359,21 @@ spec:
                   minimum: 1
                   maximum: 65535
                   default: 179
+                confederation:
+                  type: object
+                  properties:
+                    identifier:
+                      type: integer
+                      format: int32
+                      minimum: 1
+                      maximum: 65535
+                    memberASNs:
+                      type: array
+                      items:
+                        type: integer
+                        format: int32
+                        minimum: 1
+                        maximum: 65535
                 advertisements:
                   type: object
                   properties:
@@ -4333,6 +4348,11 @@ data:
       #                  can reply to clients directly, bypassing the ingress Node.
       # A Service's load balancer mode can be overridden by annotating it with `service.antrea.io/load-balancer-mode`.
       defaultLoadBalancerMode: "nat"
+      # Disables the health check server run by Antrea Proxy, which provides health information about
+      # Services of type LoadBalancer with externalTrafficPolicy set to Local, when proxyAll is
+      # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
+      # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
+      disableServiceHealthCheckServer: false
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -5409,7 +5429,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e4e94ba89524d8fdc7eb3ad6e0f6948767f3d92ef767f17c47da348f08b5c2e0
+        checksum/config: afc566f7a719f6dd3ff30e3b495df2e4f5991e5a8d0696f891dc9c77ce795e2f
       labels:
         app: antrea
         component: antrea-agent
@@ -5651,7 +5671,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e4e94ba89524d8fdc7eb3ad6e0f6948767f3d92ef767f17c47da348f08b5c2e0
+        checksum/config: afc566f7a719f6dd3ff30e3b495df2e4f5991e5a8d0696f891dc9c77ce795e2f
       labels:
         app: antrea
         component: antrea-controller

build/yamls/flow-aggregator.yml

@@ -154,6 +154,12 @@ subjects:
 apiVersion: v1
 data:
   flow-aggregator.conf: |
+    # Mode in which to run the flow aggregator. Must be one of "Aggregate" or "Proxy". In Aggregate
+    # mode, flow records received from source and destination are aggregated and sent as one flow
+    # record. In Proxy mode, flow records are enhanced with some additional information, then sent
+    # directly without buffering or aggregation.
+    mode: Aggregate
+
     # Provide the active flow record timeout as a duration string. This determines
     # how often the flow aggregator exports the active flow records to the flow
     # collector. Thus, for flows with a continuous stream of packets, a flow record