Multicluster dataplane change for Service access

build/charts/antrea/README.md

@@ -82,6 +82,8 @@ Kubernetes: `>= 1.16.0-0`
 | logVerbosity | int | `0` |  |
 | multicast.igmpQueryInterval | string | `"125s"` | The interval at which the antrea-agent sends IGMP queries to Pods. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
 | multicast.multicastInterfaces | list | `[]` | Names of the interfaces on Nodes that are used to forward multicast traffic. |
+| multicluster.enable | bool | `false` | Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. This feature is supported only with encap mode. |
+| multicluster.namespace | string | `""` | The Namespace where Antrea Multi-cluster Controller is running. The default is antrea-agent's Namespace. |
 | noSNAT | bool | `false` | Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. |
 | nodeIPAM.clusterCIDRs | list | `[]` | CIDR ranges to use when allocating Pod IP addresses. |
 | nodeIPAM.enable | bool | `false` | Enable Node IPAM in Antrea |

build/charts/antrea/conf/antrea-agent.conf

@@ -39,6 +39,10 @@ featureGates:
 # Enable multicast traffic. This feature is supported only with noEncap mode.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicast" "default" false) }}
 
+# Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+# This feature is supported only with encap mode.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicluster" "default" false) }}
+
 # Enable support for provisioning secondary network interfaces for Pods (using
 # Pod annotations). At the moment, Antrea can only create secondary network
 # interfaces using SR-IOV VFs on baremetal Nodes.
@@ -292,3 +296,13 @@ ipsec:
   #                  feature gate to be enabled.
   authenticationMode: {{ .authenticationMode | quote }}
 {{- end }}
+
+multicluster:
+{{- with .Values.multicluster }}
+# Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+# This feature is supported only with encap mode.
+  enable: {{ .enable }}
+# The Namespace where Antrea Multi-cluster Controller is running.
+# The default is antrea-agent's Namespace.
+  namespace: {{ .namespace | quote }}
+{{- end }}

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -189,3 +189,19 @@ rules:
       - watch
       - list
       - create
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - gateways
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - clusterinfoimports
+    verbs:
+    - get
+    - list
+    - watch

build/charts/antrea/values.yaml

@@ -281,6 +281,15 @@ logVerbosity: 0
 whereabouts:
   enable: false
 
+## -- Configure Multicluster, for use by the antrea-agent.
+multicluster:
+  # -- Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+  # This feature is supported only with encap mode.
+  enable: false
+  # -- The Namespace where Antrea Multi-cluster Controller is running.
+  # The default is antrea-agent's Namespace.
+  namespace: ""
+
 testing:
   ## -- enable code coverage measurement (used when testing Antrea only).
   coverage: false

build/yamls/antrea-aks.yml

@@ -97,6 +97,10 @@ data:
     # Enable multicast traffic. This feature is supported only with noEncap mode.
     #  Multicast: false
 
+    # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+    # This feature is supported only with encap mode.
+    #  Multicluster: false
+
     # Enable support for provisioning secondary network interfaces for Pods (using
     # Pod annotations). At the moment, Antrea can only create secondary network
     # interfaces using SR-IOV VFs on baremetal Nodes.
@@ -323,6 +327,14 @@ data:
       # - cert:          Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth`
       #                  feature gate to be enabled.
       authenticationMode: "psk"
+
+    multicluster:
+    # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+    # This feature is supported only with encap mode.
+      enable: false
+    # The Namespace where Antrea Multi-cluster Controller is running.
+    # The default is antrea-agent's Namespace.
+      namespace: ""
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3033,6 +3045,22 @@ rules:
       - watch
       - list
       - create
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - gateways
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - clusterinfoimports
+    verbs:
+    - get
+    - list
+    - watch
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -3569,7 +3597,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb
+        checksum/config: 1ede67e825b3122edca49b4f5bbb8932a921260b686a02c10c8889de24c8ae0f
       labels:
         app: antrea
         component: antrea-agent
@@ -3809,7 +3837,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb
+        checksum/config: 1ede67e825b3122edca49b4f5bbb8932a921260b686a02c10c8889de24c8ae0f
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -97,6 +97,10 @@ data:
     # Enable multicast traffic. This feature is supported only with noEncap mode.
     #  Multicast: false
 
+    # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+    # This feature is supported only with encap mode.
+    #  Multicluster: false
+
     # Enable support for provisioning secondary network interfaces for Pods (using
     # Pod annotations). At the moment, Antrea can only create secondary network
     # interfaces using SR-IOV VFs on baremetal Nodes.
@@ -323,6 +327,14 @@ data:
       # - cert:          Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth`
       #                  feature gate to be enabled.
       authenticationMode: "psk"
+
+    multicluster:
+    # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+    # This feature is supported only with encap mode.
+      enable: false
+    # The Namespace where Antrea Multi-cluster Controller is running.
+    # The default is antrea-agent's Namespace.
+      namespace: ""
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3033,6 +3045,22 @@ rules:
       - watch
       - list
       - create
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - gateways
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - clusterinfoimports
+    verbs:
+    - get
+    - list
+    - watch
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -3569,7 +3597,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb
+        checksum/config: 1ede67e825b3122edca49b4f5bbb8932a921260b686a02c10c8889de24c8ae0f
       labels:
         app: antrea
         component: antrea-agent
@@ -3811,7 +3839,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 215e06b9ae507e0bf11e6da239908ee60b07bc419310825f504208e87815f0eb
+        checksum/config: 1ede67e825b3122edca49b4f5bbb8932a921260b686a02c10c8889de24c8ae0f
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -97,6 +97,10 @@ data:
     # Enable multicast traffic. This feature is supported only with noEncap mode.
     #  Multicast: false
 
+    # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+    # This feature is supported only with encap mode.
+    #  Multicluster: false
+
     # Enable support for provisioning secondary network interfaces for Pods (using
     # Pod annotations). At the moment, Antrea can only create secondary network
     # interfaces using SR-IOV VFs on baremetal Nodes.
@@ -323,6 +327,14 @@ data:
       # - cert:          Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth`
       #                  feature gate to be enabled.
       authenticationMode: "psk"
+
+    multicluster:
+    # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+    # This feature is supported only with encap mode.
+      enable: false
+    # The Namespace where Antrea Multi-cluster Controller is running.
+    # The default is antrea-agent's Namespace.
+      namespace: ""
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3033,6 +3045,22 @@ rules:
       - watch
       - list
       - create
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - gateways
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - clusterinfoimports
+    verbs:
+    - get
+    - list
+    - watch
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -3569,7 +3597,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 9b30c1a8c106bef23da9374bbf18b11a72b5cf96532c2941ca0a11e5af48d2e6
+        checksum/config: 2f5a57b910bfb442df5abb3268308a3f4ad8f69d506e4281dddad39dab334690
       labels:
         app: antrea
         component: antrea-agent
@@ -3809,7 +3837,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 9b30c1a8c106bef23da9374bbf18b11a72b5cf96532c2941ca0a11e5af48d2e6
+        checksum/config: 2f5a57b910bfb442df5abb3268308a3f4ad8f69d506e4281dddad39dab334690
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -110,6 +110,10 @@ data:
     # Enable multicast traffic. This feature is supported only with noEncap mode.
     #  Multicast: false
 
+    # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+    # This feature is supported only with encap mode.
+    #  Multicluster: false
+
     # Enable support for provisioning secondary network interfaces for Pods (using
     # Pod annotations). At the moment, Antrea can only create secondary network
     # interfaces using SR-IOV VFs on baremetal Nodes.
@@ -336,6 +340,14 @@ data:
       # - cert:          Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth`
       #                  feature gate to be enabled.
       authenticationMode: "psk"
+
+    multicluster:
+    # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic.
+    # This feature is supported only with encap mode.
+      enable: false
+    # The Namespace where Antrea Multi-cluster Controller is running.
+    # The default is antrea-agent's Namespace.
+      namespace: ""
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -3046,6 +3058,22 @@ rules:
       - watch
       - list
       - create
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - gateways
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - multicluster.crd.antrea.io
+    resources:
+    - clusterinfoimports
+    verbs:
+    - get
+    - list
+    - watch
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -3582,7 +3610,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 97fb99b7b2d8e9a0a5a6075dc109ea93d55b9ff3b6dc06af72fdfbaabec1d97b
+        checksum/config: 009306e63cddc96c9dd51d20543783c6a94e9859581dc9db4dffacc8a78976bc
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -3868,7 +3896,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 97fb99b7b2d8e9a0a5a6075dc109ea93d55b9ff3b6dc06af72fdfbaabec1d97b
+        checksum/config: 009306e63cddc96c9dd51d20543783c6a94e9859581dc9db4dffacc8a78976bc
       labels:
         app: antrea
         component: antrea-controller