Support OVS bridge creation for secondary network (#5279)

Add OVS bridge configuration to the secondary network configuration in
antrea-agent.conf, which specifies the OVS bridges for Pod secondary
networks and also physical interfaces of the bridges. At the moment,
only a single bridge is supported and at most one physical interface
can be configured on the bridge. antrea-agent will automatically create
the OVS bridge and connects the physical interface (if specified) to
the bridge, when the bridge is specified in the secondary network
configuration and does not exist on the host.

Signed-off-by: Jianjun Shen <[email protected]>

build/charts/antrea/README.md

@@ -72,9 +72,9 @@ Kubernetes: `>= 1.16.0-0`
 | controller.tolerations | list | `[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"}]` | Tolerations for the antrea-controller Pod. |
 | defaultMTU | int | `0` | Default MTU to use for the host gateway interface and the network interface of each Pod. By default, antrea-agent will discover the MTU of the Node's primary interface and adjust it to accommodate for tunnel encapsulation overhead if applicable. |
 | disableTXChecksumOffload | bool | `false` | Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. It affects Pods running on Linux Nodes only. |
-| dnsServerOverride | string | `""` | Address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. |
+| dnsServerOverride | string | `""` | Address of DNS server, to override the kube-dns Service. It's used to resolve hostnames in a FQDN policy. |
 | egress.exceptCIDRs | list | `[]` | CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. |
-| egress.maxEgressIPsPerNode | int | `255` | The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255. |
+| egress.maxEgressIPsPerNode | int | `255` | The maximum number of Egress IPs that can be assigned to a Node. It is useful when the Node network restricts the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255. |
 | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
 | featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. |
 | flowExporter.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
@@ -111,6 +111,7 @@ Kubernetes: `>= 1.16.0-0`
 | nodePortLocal.portRange | string | `"61000-62000"` | Port range used by NodePortLocal when creating Pod port mappings. |
 | ovs.bridgeName | string | `"br-int"` | Name of the OVS bridge antrea-agent will create and use. |
 | ovs.hwOffload | bool | `false` | Enable hardware offload for the OVS bridge (required additional configuration). |
+| secondaryNetwork.ovsBridges | list | `[]` | Configuration of OVS bridges for secondary network. At the moment, at most one OVS bridge can be specified. If the specified bridge does not exist on the Node, antrea-agent will create it based on the configuration. The following configuration specifies an OVS bridge with name "br1" and a physical interface "eth1": [{bridgeName: "br1", physicalInterfaces: ["eth1"]}] |
 | serviceCIDR | string | `""` | IPv4 CIDR range used for Services. Required when AntreaProxy is disabled. |
 | serviceCIDRv6 | string | `""` | IPv6 CIDR range used for Services. Required when AntreaProxy is disabled. |
 | testing.coverage | bool | `false` | Enable code coverage measurement (used when testing Antrea only). |

build/charts/antrea/conf/antrea-agent.conf

@@ -254,14 +254,15 @@ nodePortLocal:
   portRange: {{ .portRange | quote }}
 {{- end }}
 
-# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-# It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+# InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
 # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
 kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }}
 
-# Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-# Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-# [fd00:10:96::a]:53).
+# Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+# hostnames in a FQDN policy.
+# Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+# 10.96.0.10:53, [fd00:10:96::a]:53).
 dnsServerOverride: {{ .Values.dnsServerOverride | quote }}
 
 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -413,3 +414,14 @@ auditLogging:
   # Compress enables gzip compression on rotated files.
   compress: {{ .compress }}
 {{- end }}
+
+{{- if .Values.featureGates.SecondaryNetwork }}
+
+secondaryNetwork:
+{{- with .Values.secondaryNetwork }}
+  # Configuration of OVS bridges for secondary network.
+  ovsBridges:
+    {{- toYaml .ovsBridges | trim | nindent 6 }}
+{{- end }}
+
+{{- end }}

build/charts/antrea/values.yaml

@@ -93,8 +93,9 @@ ipsec:
 egress:
   # -- CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses.
   exceptCIDRs: []
-  # -- The maximum number of Egress IPs that can be assigned to a Node. It's useful when the Node network restricts
-  # the number of secondary IPs a Node can have, e.g. EKS. It must not be greater than 255.
+  # -- The maximum number of Egress IPs that can be assigned to a Node. It is
+  # useful when the Node network restricts the number of secondary IPs a Node
+  # can have, e.g. EKS. It must not be greater than 255.
   maxEgressIPsPerNode: 255
 
 nodePortLocal:
@@ -121,8 +122,8 @@ antreaProxy:
   # will only handle Services without the "service.kubernetes.io/service-proxy-name"
   # label, but ignore Services with the label no matter what is the value.
   serviceProxyName: ""
-  # -- Determines how external traffic is processed when it's load balanced across Nodes by default. It must be one of "nat" or
-  # "dsr".
+  # -- Determines how external traffic is processed when it's load balanced
+  # across Nodes by default. It must be one of "nat" or "dsr".
   defaultLoadBalancerMode: "nat"
 
 nodeIPAM:
@@ -155,8 +156,8 @@ auditLogging:
 # -- Address of Kubernetes apiserver, to override any value provided in
 # kubeconfig or InClusterConfig.
 kubeAPIServerOverride: ""
-# -- Address of DNS server, to override the kube-dns service. It's used to
-# resolve hostname in FQDN policy.
+# -- Address of DNS server, to override the kube-dns Service. It's used to
+# resolve hostnames in a FQDN policy.
 dnsServerOverride: ""
 # -- IPv4 CIDR range used for Services. Required when AntreaProxy is disabled.
 serviceCIDR: ""
@@ -180,6 +181,15 @@ clientCAFile: ""
 # key and a boolean as the value.
 featureGates: {}
 
+secondaryNetwork:
+  # -- Configuration of OVS bridges for secondary network. At the moment, at
+  # most one OVS bridge can be specified. If the specified bridge does not exist
+  # on the Node, antrea-agent will create it based on the configuration.
+  # The following configuration specifies an OVS bridge with name "br1" and a
+  # physical interface "eth1":
+  # [{bridgeName: "br1", physicalInterfaces: ["eth1"]}]
+  ovsBridges: []
+
 agent:
   # -- Port for the antrea-agent APIServer to serve on.
   apiPort: 10350

build/yamls/antrea-aks.yml

@@ -5698,14 +5698,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -6818,7 +6819,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e982ae7bedfa361f13e134516243f3c8d566b9297abc58f51c9cd1b637739790
+        checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428
       labels:
         app: antrea
         component: antrea-agent
@@ -7059,7 +7060,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e982ae7bedfa361f13e134516243f3c8d566b9297abc58f51c9cd1b637739790
+        checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -5698,14 +5698,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -6818,7 +6819,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e982ae7bedfa361f13e134516243f3c8d566b9297abc58f51c9cd1b637739790
+        checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428
       labels:
         app: antrea
         component: antrea-agent
@@ -7060,7 +7061,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e982ae7bedfa361f13e134516243f3c8d566b9297abc58f51c9cd1b637739790
+        checksum/config: a3168b9ac447a8852280ded74b420b5afa9cc2f6fca169e3e2da6e44b9e96428
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -5698,14 +5698,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -6818,7 +6819,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 977cc5c6179f9ac01800457f4549f2783876dd94f2eaf165085808b742019cc1
+        checksum/config: 1be8ab6f39c7b1d3742d49f9614a5fae317932ce2cc7b2473cc12a920f13641d
       labels:
         app: antrea
         component: antrea-agent
@@ -7057,7 +7058,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 977cc5c6179f9ac01800457f4549f2783876dd94f2eaf165085808b742019cc1
+        checksum/config: 1be8ab6f39c7b1d3742d49f9614a5fae317932ce2cc7b2473cc12a920f13641d
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -5711,14 +5711,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -6831,7 +6832,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 754b9e45b24d9a03a6be907d1dda1966a84598841e871bfa624932e11aeb739f
+        checksum/config: 9d2ce5aebdb9b1a668615a90578317745bafc6052b7c29431fd009a0ba65d62a
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -7116,7 +7117,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 754b9e45b24d9a03a6be907d1dda1966a84598841e871bfa624932e11aeb739f
+        checksum/config: 9d2ce5aebdb9b1a668615a90578317745bafc6052b7c29431fd009a0ba65d62a
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -5698,14 +5698,15 @@ data:
     # directed to that port will be forwarded to the Pod.
       portRange: "61000-62000"
 
-    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
-    # It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
+    # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or
+    # InClusterConfig. It is typically used when kube-proxy is not deployed (replaced by AntreaProxy).
     # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
     kubeAPIServerOverride: ""
 
-    # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy.
-    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53,
-    # [fd00:10:96::a]:53).
+    # Provide the address of DNS server, to override the kube-dns Service. It's used to resolve
+    # hostnames in a FQDN policy.
+    # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10,
+    # 10.96.0.10:53, [fd00:10:96::a]:53).
     dnsServerOverride: ""
 
     # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
@@ -6818,7 +6819,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7218db7d40a2ba0043ebc518f71ed1e5c38a715360a732492ae762964e11c884
+        checksum/config: cc9b64c3b915bfd5a500d76f39a5b650f86819e144dbccea5019b4ecd4192292
       labels:
         app: antrea
         component: antrea-agent
@@ -7057,7 +7058,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7218db7d40a2ba0043ebc518f71ed1e5c38a715360a732492ae762964e11c884
+        checksum/config: cc9b64c3b915bfd5a500d76f39a5b650f86819e144dbccea5019b4ecd4192292
       labels:
         app: antrea
         component: antrea-controller