From 8c8730265f4fc306f9e2b6d3e0f7ac880eecea42 Mon Sep 17 00:00:00 2001 From: Antonin Bas Date: Wed, 27 Oct 2021 10:23:27 -0700 Subject: [PATCH] Graduate NodePortLocal feature from Alpha to Beta (#2924) NodePortLocal will be graduated to Beta and enabled by default starting with v1.4. In order to avoid CPU & memory overhead in the K8s control plane and in the Antrea Agent, a configuration parameter is provided (in addition to the feature gate) to control enablement of the feature. All NPL options (enable and portRange) are grouped under one top-level config option (nodePortLocal) like we have done for other features. By default, the feature is disabled and nodePortLocal.enable needs to be set to true. Note that eventually the feature gate will go GA and the config option will be the only way to enable / disable NPL. On the e2e test side, we follow the same logic as for other Beta features: if the feature has been disabled, we skip all the relevant tests that depend on that feature instead of updating the ConfigMap as part of the test (which is the approach we take for Alpha features). The NPL e2e tests still need to update the ConfigMap to enable the feature and change the portRange. This commit changes the mutateAntreaConfigMap so that the function is a no-op in case there is no actual change. Fixes #2923 Signed-off-by: Antonin Bas --- build/yamls/antrea-aks.yml | 26 +++--- build/yamls/antrea-eks.yml | 26 +++--- build/yamls/antrea-gke.yml | 26 +++--- build/yamls/antrea-ipsec.yml | 26 +++--- build/yamls/antrea.yml | 26 +++--- build/yamls/base/conf/antrea-agent.conf | 18 ++-- cmd/antrea-agent/agent.go | 7 +- cmd/antrea-agent/config.go | 21 ++++- cmd/antrea-agent/options.go | 21 ++++- cmd/antrea-agent/util.go | 25 ++++++ docs/feature-gates.md | 2 +- docs/node-port-local.md | 47 ++++++++--- pkg/agent/nodeportlocal/npl_agent_init.go | 15 ++-- .../nodeportlocal/npl_agent_init_windows.go | 8 +- pkg/agent/nodeportlocal/util/parse_port.go | 22 ----- .../handlers/featuregates/handler_test.go | 4 +- pkg/features/antrea_features.go | 3 +- test/e2e/egress_test.go | 4 +- test/e2e/framework.go | 84 +++++++++++++------ test/e2e/framework_test.go | 43 ++++++++-- test/e2e/nodeportlocal_test.go | 59 ++++++++----- test/e2e/security_test.go | 2 +- test/e2e/tls_test.go | 8 +- test/e2e/wireguard_test.go | 4 +- 24 files changed, 350 insertions(+), 177 deletions(-) diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index d095f4f2374..0bb1b19d92e 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -3849,8 +3849,8 @@ data: # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true - # Enable NodePortLocal feature to make the pods reachable externally through NodePort - # NodePortLocal: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy @@ -3977,10 +3977,16 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned - # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), - # and all Node traffic directed to that port will be forwarded to the Pod. - #nplPortRange: 61000-62000 + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + # enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + # portRange: 61000-62000 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. @@ -4135,7 +4141,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-dttf6969bm + name: antrea-config-2t22kh7hm4 namespace: kube-system --- apiVersion: v1 @@ -4206,7 +4212,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-dttf6969bm + value: antrea-config-2t22kh7hm4 image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4257,7 +4263,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-dttf6969bm + name: antrea-config-2t22kh7hm4 name: antrea-config - name: antrea-controller-tls secret: @@ -4538,7 +4544,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-dttf6969bm + name: antrea-config-2t22kh7hm4 name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 348721bc7ab..22a19b14d5b 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -3849,8 +3849,8 @@ data: # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true - # Enable NodePortLocal feature to make the pods reachable externally through NodePort - # NodePortLocal: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy @@ -3977,10 +3977,16 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned - # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), - # and all Node traffic directed to that port will be forwarded to the Pod. - #nplPortRange: 61000-62000 + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + # enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + # portRange: 61000-62000 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. @@ -4135,7 +4141,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-dttf6969bm + name: antrea-config-2t22kh7hm4 namespace: kube-system --- apiVersion: v1 @@ -4206,7 +4212,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-dttf6969bm + value: antrea-config-2t22kh7hm4 image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4257,7 +4263,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-dttf6969bm + name: antrea-config-2t22kh7hm4 name: antrea-config - name: antrea-controller-tls secret: @@ -4540,7 +4546,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-dttf6969bm + name: antrea-config-2t22kh7hm4 name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index 7f3a50ac1ca..648f5026d0f 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -3849,8 +3849,8 @@ data: # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true - # Enable NodePortLocal feature to make the pods reachable externally through NodePort - # NodePortLocal: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy @@ -3977,10 +3977,16 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned - # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), - # and all Node traffic directed to that port will be forwarded to the Pod. - #nplPortRange: 61000-62000 + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + # enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + # portRange: 61000-62000 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. @@ -4135,7 +4141,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-2f6h926k9h + name: antrea-config-fgt5gkhtf5 namespace: kube-system --- apiVersion: v1 @@ -4206,7 +4212,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-2f6h926k9h + value: antrea-config-fgt5gkhtf5 image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4257,7 +4263,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-2f6h926k9h + name: antrea-config-fgt5gkhtf5 name: antrea-config - name: antrea-controller-tls secret: @@ -4541,7 +4547,7 @@ spec: path: /home/kubernetes/bin name: host-cni-bin - configMap: - name: antrea-config-2f6h926k9h + name: antrea-config-fgt5gkhtf5 name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index 09f35c889b4..42ae217f161 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -3849,8 +3849,8 @@ data: # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true - # Enable NodePortLocal feature to make the pods reachable externally through NodePort - # NodePortLocal: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy @@ -3982,10 +3982,16 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned - # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), - # and all Node traffic directed to that port will be forwarded to the Pod. - #nplPortRange: 61000-62000 + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + # enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + # portRange: 61000-62000 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. @@ -4140,7 +4146,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-7chtf92g54 + name: antrea-config-7499thbtth namespace: kube-system --- apiVersion: v1 @@ -4220,7 +4226,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-7chtf92g54 + value: antrea-config-7499thbtth image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4271,7 +4277,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-7chtf92g54 + name: antrea-config-7499thbtth name: antrea-config - name: antrea-controller-tls secret: @@ -4587,7 +4593,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-7chtf92g54 + name: antrea-config-7499thbtth name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index edfe85c5a51..3e04e055981 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -3849,8 +3849,8 @@ data: # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true - # Enable NodePortLocal feature to make the pods reachable externally through NodePort - # NodePortLocal: false + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy @@ -3982,10 +3982,16 @@ data: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned - # whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), - # and all Node traffic directed to that port will be forwarded to the Pod. - #nplPortRange: 61000-62000 + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + # enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + # portRange: 61000-62000 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. @@ -4140,7 +4146,7 @@ metadata: annotations: {} labels: app: antrea - name: antrea-config-5985d9c7h2 + name: antrea-config-7ddkdg8fcf namespace: kube-system --- apiVersion: v1 @@ -4211,7 +4217,7 @@ spec: fieldRef: fieldPath: spec.serviceAccountName - name: ANTREA_CONFIG_MAP_NAME - value: antrea-config-5985d9c7h2 + value: antrea-config-7ddkdg8fcf image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest imagePullPolicy: IfNotPresent livenessProbe: @@ -4262,7 +4268,7 @@ spec: key: node-role.kubernetes.io/master volumes: - configMap: - name: antrea-config-5985d9c7h2 + name: antrea-config-7ddkdg8fcf name: antrea-config - name: antrea-controller-tls secret: @@ -4543,7 +4549,7 @@ spec: operator: Exists volumes: - configMap: - name: antrea-config-5985d9c7h2 + name: antrea-config-7ddkdg8fcf name: antrea-config - hostPath: path: /etc/cni/net.d diff --git a/build/yamls/base/conf/antrea-agent.conf b/build/yamls/base/conf/antrea-agent.conf index 692bdaca632..6b5bbc0d267 100644 --- a/build/yamls/base/conf/antrea-agent.conf +++ b/build/yamls/base/conf/antrea-agent.conf @@ -13,8 +13,8 @@ featureGates: # Enable traceflow which provides packet tracing feature to diagnose network issue. # Traceflow: true -# Enable NodePortLocal feature to make the pods reachable externally through NodePort -# NodePortLocal: false +# Enable NodePortLocal feature to make the Pods reachable externally through NodePort +# NodePortLocal: true # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy @@ -146,10 +146,16 @@ egress: # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". #idleFlowExportTimeout: "15s" -# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned -# whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), -# and all Node traffic directed to that port will be forwarded to the Pod. -#nplPortRange: 61000-62000 +nodePortLocal: +# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To +# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature +# gate is also enabled (which is the default). +# enable: false +# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port +# from that range will be assigned whenever a Pod's container defines a specific port to be exposed +# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic +# directed to that port will be forwarded to the Pod. +# portRange: 61000-62000 # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. diff --git a/cmd/antrea-agent/agent.go b/cmd/antrea-agent/agent.go index ed9389faf12..0d0a73a39d6 100644 --- a/cmd/antrea-agent/agent.go +++ b/cmd/antrea-agent/agent.go @@ -122,7 +122,7 @@ func run(o *Options) error { _, encapMode := config.GetTrafficEncapModeFromStr(o.config.TrafficEncapMode) _, encryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.TrafficEncryptionMode) if o.config.EnableIPSecTunnel { - klog.Warning("enableIPSecTunnel is deprecated, use trafficEncryptionMode instead.") + klog.InfoS("enableIPSecTunnel is deprecated, use trafficEncryptionMode instead.") encryptionMode = config.TrafficEncryptionModeIPSec } networkConfig := &config.NetworkConfig{ @@ -347,11 +347,12 @@ func run(o *Options) error { } // Start the NPL agent. - if features.DefaultFeatureGate.Enabled(features.NodePortLocal) { + if features.DefaultFeatureGate.Enabled(features.NodePortLocal) && o.config.NodePortLocal.Enable { nplController, err := npl.InitializeNPLAgent( k8sClient, informerFactory, - o.config.NPLPortRange, + o.nplStartPort, + o.nplEndPort, nodeConfig.Name) if err != nil { return fmt.Errorf("failed to start NPL agent: %v", err) diff --git a/cmd/antrea-agent/config.go b/cmd/antrea-agent/config.go index f11637d3504..5f3c5c0ac5a 100644 --- a/cmd/antrea-agent/config.go +++ b/cmd/antrea-agent/config.go @@ -100,7 +100,7 @@ type AgentConfig struct { // variable: ANTREA_IPSEC_PSK. // - wireguard: Enable WireGuard for tunnel traffic encryption. TrafficEncryptionMode string `yaml:"trafficEncryptionMode,omitempty"` - // WireGuerd related configurations. + // WireGuard related configurations. WireGuard WireGuardConfig `yaml:"wireGuard"` // APIPort is the port for the antrea-agent APIServer to serve on. // Defaults to 10350. @@ -144,10 +144,10 @@ type AgentConfig struct { // Defaults to "15s". Valid time units are "ns", "us" (or "µs"), "ms", "s", // "m", "h". IdleFlowExportTimeout string `yaml:"idleFlowExportTimeout,omitempty"` - // Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned - // whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports), - // and all Node traffic directed to that port will be forwarded to the Pod. + // Deprecated. Use the NodePortLocal config options instead. NPLPortRange string `yaml:"nplPortRange,omitempty"` + // NodePortLocal (NPL) configuration options. + NodePortLocal NodePortLocalConfig `yaml:"nodePortLocal,omitempty"` // Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. // Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. KubeAPIServerOverride string `yaml:"kubeAPIServerOverride,omitempty"` @@ -199,6 +199,19 @@ type WireGuardConfig struct { Port int `yaml:"port,omitempty"` } +type NodePortLocalConfig struct { + // Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the + // host. To enable this feature, you need to set "enable" to true, and ensure that the + // NodePortLocal feature gate is also enabled (which is the default). + Enable bool `yaml:"enable,omitempty"` + // Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, + // a port from that range will be assigned whenever a Pod's container defines a specific + // port to be exposed (each container can define a list of ports as + // pod.spec.containers[].ports), and all Node traffic directed to that port will be + // forwarded to the Pod. + PortRange string `yaml:"portRange,omitempty"` +} + type EgressConfig struct { ExceptCIDRs []string `yaml:"exceptCIDRs,omitempty"` } diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go index 0c4469e79f2..3699efbdd46 100644 --- a/cmd/antrea-agent/options.go +++ b/cmd/antrea-agent/options.go @@ -65,6 +65,8 @@ type Options struct { idleFlowTimeout time.Duration // Stale connection timeout to delete connections if they are not exported. staleConnectionTimeout time.Duration + nplStartPort int + nplEndPort int } func newOptions() *Options { @@ -164,6 +166,16 @@ func (o *Options) validate(args []string) error { } } } + if features.DefaultFeatureGate.Enabled(features.NodePortLocal) { + startPort, endPort, err := parsePortRange(o.config.NodePortLocal.PortRange) + if err != nil { + return fmt.Errorf("NodePortLocal portRange is not valid: %v", err) + } + o.nplStartPort = startPort + o.nplEndPort = endPort + } else if o.config.NodePortLocal.Enable { + klog.InfoS("The nodePortLocal.enable config option is set to true, but it will be ignored because the NodePortLocal feature gate is disabled") + } return nil } @@ -233,8 +245,13 @@ func (o *Options) setDefaults() { } if features.DefaultFeatureGate.Enabled(features.NodePortLocal) { - if o.config.NPLPortRange == "" { - o.config.NPLPortRange = defaultNPLPortRange + switch { + case o.config.NodePortLocal.PortRange != "": + case o.config.NPLPortRange != "": + klog.InfoS("The nplPortRange option is deprecated, please use nodePortLocal.portRange instead") + o.config.NodePortLocal.PortRange = o.config.NPLPortRange + default: + o.config.NodePortLocal.PortRange = defaultNPLPortRange } } } diff --git a/cmd/antrea-agent/util.go b/cmd/antrea-agent/util.go index e10c2ab8036..cb26dfc963e 100644 --- a/cmd/antrea-agent/util.go +++ b/cmd/antrea-agent/util.go @@ -15,7 +15,10 @@ package main import ( + "fmt" "net" + "strconv" + "strings" "antrea.io/antrea/pkg/agent/util" ) @@ -53,3 +56,25 @@ func getAvailableNodePortAddresses(nodePortAddressesFromConfig []string, exclude return nodePortAddressesIPv4, nodePortAddressesIPv6, nil } + +// parsePortRange parses a port range ("-") and checks that it is valid. +func parsePortRange(portRangeStr string) (start, end int, err error) { + portsRange := strings.Split(portRangeStr, "-") + if len(portsRange) != 2 { + return 0, 0, fmt.Errorf("wrong port range format: %s", portRangeStr) + } + + if start, err = strconv.Atoi(portsRange[0]); err != nil { + return 0, 0, err + } + + if end, err = strconv.Atoi(portsRange[1]); err != nil { + return 0, 0, err + } + + if end <= start { + return 0, 0, fmt.Errorf("start port must be smaller than end port: %s", portRangeStr) + } + + return start, end, nil +} diff --git a/docs/feature-gates.md b/docs/feature-gates.md index 3950caf10ed..f7333b7918d 100644 --- a/docs/feature-gates.md +++ b/docs/feature-gates.md @@ -41,7 +41,7 @@ example, to enable `AntreaProxy` on Linux, edit the Agent configuration in the | `Traceflow` | Agent + Controller | `true` | Beta | v0.8 | v0.11 | N/A | Yes | | | `FlowExporter` | Agent | `false` | Alpha | v0.9 | N/A | N/A | Yes | | | `NetworkPolicyStats` | Agent + Controller | `true` | Beta | v0.10 | v1.2 | N/A | No | | -| `NodePortLocal` | Agent | `false` | Alpha | v0.13 | N/A | N/A | Yes | Important user-facing change in v1.2.0 | +| `NodePortLocal` | Agent | `true` | Beta | v0.13 | v1.4 | N/A | Yes | Important user-facing change in v1.2.0 | | `Egress` | Agent + Controller | `false` | Alpha | v1.0 | N/A | N/A | Yes | | | `NodeIPAM` | Controller | `false` | Alpha | v1.4 | N/A | N/A | Yes | | diff --git a/docs/node-port-local.md b/docs/node-port-local.md index 619e4d5c506..352aa6c5b7d 100644 --- a/docs/node-port-local.md +++ b/docs/node-port-local.md @@ -6,6 +6,7 @@ - [What is NodePortLocal?](#what-is-nodeportlocal) - [Prerequisites](#prerequisites) - [Usage](#usage) + - [Usage pre Antrea v1.4](#usage-pre-antrea-v14) - [Usage pre Antrea v1.2](#usage-pre-antrea-v12) - [Limitations](#limitations) @@ -23,23 +24,42 @@ directly to backend Pods. ## Prerequisites -NodePortLocal was introduced in v0.13 as an alpha feature. As with other alpha -features, a feature gate, `NodePortLocal`, must be enabled on the antrea-agent -for the feature to work. +NodePortLocal was introduced in v0.13 as an alpha feature, and was graduated to +beta in v1.4, at which time it was enabled by default. Prior to v1.4, a feature +gate, `NodePortLocal`, must be enabled on the antrea-agent for the feature to +work. ## Usage -In addition to enabling the NodePortLocal feature gate, the value of -`nplPortRange` can be set in the Antrea Agent configuration through the -ConfigMap. Ports from a Node will be allocated from the range of ports specified -in `nplPortRange`. If the value of `nplPortRange` is not specified, the range -`61000-62000` will be used by default. +In addition to enabling the NodePortLocal feature gate (if needed), you need to +ensure that the `nodePortLocal.enable` flag is set to true in the Antrea Agent +configuration. The `nodePortLocal.portRange` parameter can also be set to change +the range from which Node ports will be allocated. Otherwise, the default range +of `61000-62000` will be used by default. When using the NodePortLocal feature, +your `antrea-agent` ConfigMap should look like this: + +```yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: antrea-config-dcfb6k2hkm + namespace: kube-system +data: + antrea-agent.conf: | + featureGates: + # True by default starting with Antrea v1.4 + # NodePortLocal: true + nodePortLocal: + enable: true + # Uncomment if you need to change the port range. + # portRange: 61000-62000 +``` Pods can be selected for `NodePortLocal` by tagging a Service with annotation: `nodeportlocal.antrea.io/enabled: "true"`. Consequently, `NodePortLocal` is enabled for all the Pods which are selected by the Service through a selector, and the ports of these Pods will be reachable through Node ports allocated from -the `nplPortRange`. The selected Pods will be annotated with the details about +the port range. The selected Pods will be annotated with the details about allocated Node port(s) for the Pod. For example, given the following Service and Deployment definitions: @@ -99,6 +119,13 @@ metadata: This annotation indicates that port 8080 of the Pod can be reached through port 61002 of the Node with IP Address 10.10.10.10. +### Usage pre Antrea v1.4 + +Prior to the Antrea v1.4 minor release, the `nodePortLocal` option group in the +Antrea Agent configuration did not exist. To enable the NodePortLocal feature, +one simply needed to enable the feature gate, and the port range could be +configured using the (now deprecated) `nplPortRange` parameter. + ### Usage pre Antrea v1.2 Prior to the Antrea v1.2 minor release, the NodePortLocal feature suffered from @@ -141,4 +168,4 @@ mapped. ## Limitations This feature is currently only supported for Nodes running Linux with IPv4 -addresses. Only TCP Service ports are supported. +addresses. Only TCP & UDP Service ports are supported (not SCTP). diff --git a/pkg/agent/nodeportlocal/npl_agent_init.go b/pkg/agent/nodeportlocal/npl_agent_init.go index e471243aec2..fc2c424bd5b 100644 --- a/pkg/agent/nodeportlocal/npl_agent_init.go +++ b/pkg/agent/nodeportlocal/npl_agent_init.go @@ -23,7 +23,6 @@ import ( nplk8s "antrea.io/antrea/pkg/agent/nodeportlocal/k8s" "antrea.io/antrea/pkg/agent/nodeportlocal/portcache" - "antrea.io/antrea/pkg/agent/nodeportlocal/util" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" @@ -40,12 +39,14 @@ const resyncPeriod = 0 * time.Minute // InitializeNPLAgent initializes the NodePortLocal agent. // It sets up event handlers to handle Pod add, update and delete events. // When a Pod gets created, a free Node port is obtained from the port table cache and a DNAT rule is added to NAT traffic to the Pod's ip:port. -func InitializeNPLAgent(kubeClient clientset.Interface, informerFactory informers.SharedInformerFactory, portRange, nodeName string) (*nplk8s.NPLController, error) { - start, end, err := util.ParsePortsRange(portRange) - if err != nil { - return nil, fmt.Errorf("error while fetching port range: %v", err) - } - portTable, err := portcache.NewPortTable(start, end) +func InitializeNPLAgent( + kubeClient clientset.Interface, + informerFactory informers.SharedInformerFactory, + startPort int, + endPort int, + nodeName string, +) (*nplk8s.NPLController, error) { + portTable, err := portcache.NewPortTable(startPort, endPort) if err != nil { return nil, fmt.Errorf("error when initializing NodePortLocal port table: %v", err) } diff --git a/pkg/agent/nodeportlocal/npl_agent_init_windows.go b/pkg/agent/nodeportlocal/npl_agent_init_windows.go index b7c18ccde7e..7746822d893 100644 --- a/pkg/agent/nodeportlocal/npl_agent_init_windows.go +++ b/pkg/agent/nodeportlocal/npl_agent_init_windows.go @@ -26,7 +26,13 @@ import ( // InitializeNPLAgent starts NodePortLocal (NPL) agent. // Currently NPL is disabled for windows. -func InitializeNPLAgent(kubeClient clientset.Interface, informerFactory informers.SharedInformerFactory, portRange, nodeName string) (*windowsCtrl, error) { +func InitializeNPLAgent( + kubeClient clientset.Interface, + informerFactory informers.SharedInformerFactory, + startPort int, + endPort int, + nodeName string, +) (*windowsCtrl, error) { return nil, errors.New("Windows Platform not supported for NPL") } diff --git a/pkg/agent/nodeportlocal/util/parse_port.go b/pkg/agent/nodeportlocal/util/parse_port.go index 5dd967e43d0..f917666043e 100644 --- a/pkg/agent/nodeportlocal/util/parse_port.go +++ b/pkg/agent/nodeportlocal/util/parse_port.go @@ -24,28 +24,6 @@ const ( delim = ":" ) -// ParsePortsRange parses port range and checks if valid. -func ParsePortsRange(portRangeConfig string) (start, end int, err error) { - portsRange := strings.Split(portRangeConfig, "-") - if len(portsRange) != 2 { - return 0, 0, fmt.Errorf("wrong port range format: %s", portRangeConfig) - } - - if start, err = strconv.Atoi(portsRange[0]); err != nil { - return 0, 0, err - } - - if end, err = strconv.Atoi(portsRange[1]); err != nil { - return 0, 0, err - } - - if end <= start { - return 0, 0, fmt.Errorf("invalid port range: %s", portRangeConfig) - } - - return start, end, nil -} - // BuildPortProto creates a single string using port and protocol separated by a delimiter. func BuildPortProto(port, protocol string) string { return fmt.Sprint(port) + delim + strings.ToLower(protocol) diff --git a/pkg/apiserver/handlers/featuregates/handler_test.go b/pkg/apiserver/handlers/featuregates/handler_test.go index d9eca8a3686..0256e099ef7 100644 --- a/pkg/apiserver/handlers/featuregates/handler_test.go +++ b/pkg/apiserver/handlers/featuregates/handler_test.go @@ -52,7 +52,7 @@ func Test_getGatesResponse(t *testing.T) { {Component: "agent", Name: "Traceflow", Status: "Enabled", Version: "BETA"}, {Component: "agent", Name: "FlowExporter", Status: "Disabled", Version: "ALPHA"}, {Component: "agent", Name: "NetworkPolicyStats", Status: "Enabled", Version: "BETA"}, - {Component: "agent", Name: "NodePortLocal", Status: "Disabled", Version: "ALPHA"}, + {Component: "agent", Name: "NodePortLocal", Status: "Enabled", Version: "BETA"}, }, }, } @@ -145,7 +145,7 @@ func TestHandleFunc(t *testing.T) { {Component: "agent", Name: "Traceflow", Status: "Enabled", Version: "BETA"}, {Component: "agent", Name: "FlowExporter", Status: "Disabled", Version: "ALPHA"}, {Component: "agent", Name: "NetworkPolicyStats", Status: "Enabled", Version: "BETA"}, - {Component: "agent", Name: "NodePortLocal", Status: "Disabled", Version: "ALPHA"}, + {Component: "agent", Name: "NodePortLocal", Status: "Enabled", Version: "BETA"}, }, }, } diff --git a/pkg/features/antrea_features.go b/pkg/features/antrea_features.go index 4ed927db192..6dfa5734d45 100644 --- a/pkg/features/antrea_features.go +++ b/pkg/features/antrea_features.go @@ -61,6 +61,7 @@ const ( NetworkPolicyStats featuregate.Feature = "NetworkPolicyStats" // alpha: v0.13 + // beta: v1.4 // Expose Pod ports through NodePort NodePortLocal featuregate.Feature = "NodePortLocal" @@ -92,7 +93,7 @@ var ( Traceflow: {Default: true, PreRelease: featuregate.Beta}, FlowExporter: {Default: false, PreRelease: featuregate.Alpha}, NetworkPolicyStats: {Default: true, PreRelease: featuregate.Beta}, - NodePortLocal: {Default: false, PreRelease: featuregate.Alpha}, + NodePortLocal: {Default: true, PreRelease: featuregate.Beta}, NodeIPAM: {Default: false, PreRelease: featuregate.Alpha}, } diff --git a/test/e2e/egress_test.go b/test/e2e/egress_test.go index a5e6d84d0fd..9816420c992 100644 --- a/test/e2e/egress_test.go +++ b/test/e2e/egress_test.go @@ -52,10 +52,10 @@ func TestEgress(t *testing.T) { skipIfEncapModeIsNot(t, data, config.TrafficEncapModeEncap) cc := []configChange{ - {"Egress", "true", true}, + &configChangeFeatureGate{"Egress", true}, } ac := []configChange{ - {"Egress", "true", true}, + &configChangeFeatureGate{"Egress", true}, } if err := data.mutateAntreaConfigMap(cc, ac, true, true); err != nil { diff --git a/test/e2e/framework.go b/test/e2e/framework.go index c297a5e7325..f38707a8ca9 100644 --- a/test/e2e/framework.go +++ b/test/e2e/framework.go @@ -188,10 +188,40 @@ type TestData struct { logsDirForTestCase string } -type configChange struct { - field string - value string - isFeatureGate bool +type configChange interface { + ApplyChange(content string) string +} + +type configChangeParam struct { + field string + value string +} + +func (cg *configChangeParam) ApplyChange(content string) string { + r := regexp.MustCompile(fmt.Sprintf(`(?m)#?.*%s:.*$`, cg.field)) + return r.ReplaceAllString(content, fmt.Sprintf("%s: %s", cg.field, cg.value)) +} + +type configChangeFeatureGate struct { + name string + enabled bool +} + +func (cg *configChangeFeatureGate) ApplyChange(content string) string { + r := regexp.MustCompile(fmt.Sprintf(`(?m)#? %s:.*$`, cg.name)) + value := "false" + if cg.enabled { + value = "true" + } + return r.ReplaceAllString(content, fmt.Sprintf(" %s: %s", cg.name, value)) +} + +type configChangeRaw struct { + fn func(content string) string +} + +func (cg *configChangeRaw) ApplyChange(content string) string { + return cg.fn(content) } var testData *TestData @@ -656,13 +686,13 @@ func (data *TestData) deployAntrea(option deployAntreaOptions) error { func (data *TestData) deployAntreaFlowExporter(ipfixCollector string) error { // Enable flow exporter feature and add related config params to antrea agent configmap. ac := []configChange{ - {"FlowExporter", "true", true}, - {"flowPollInterval", "\"1s\"", false}, - {"activeFlowExportTimeout", fmt.Sprintf("\"%v\"", exporterActiveFlowExportTimeout), false}, - {"idleFlowExportTimeout", fmt.Sprintf("\"%v\"", exporterIdleFlowExportTimeout), false}, + &configChangeFeatureGate{"FlowExporter", true}, + &configChangeParam{"flowPollInterval", "\"1s\""}, + &configChangeParam{"activeFlowExportTimeout", fmt.Sprintf("\"%v\"", exporterActiveFlowExportTimeout)}, + &configChangeParam{"idleFlowExportTimeout", fmt.Sprintf("\"%v\"", exporterIdleFlowExportTimeout)}, } if ipfixCollector != "" { - ac = append(ac, configChange{"flowCollectorAddr", fmt.Sprintf("\"%s\"", ipfixCollector), false}) + ac = append(ac, &configChangeParam{"flowCollectorAddr", fmt.Sprintf("\"%s\"", ipfixCollector)}) } return data.mutateAntreaConfigMap(nil, ac, false, true) } @@ -1817,6 +1847,10 @@ func (data *TestData) GetGatewayInterfaceName(antreaNamespace string) (string, e return antreaDefaultGW, nil } +// mutateAntreaConfigMap will perform the specified updates on the antrea-agent config and the +// antrea-controller config by updating the antrea-config ConfigMap. It will then restart Agents and +// Controller if needed. Note that if the specified updates do not result in any actual change to +// the ConfigMap, this function is a complete no-op. func (data *TestData) mutateAntreaConfigMap(controllerChanges []configChange, agentChanges []configChange, restartController, restartAgent bool) error { configMap, err := data.GetAntreaConfigMap(antreaNamespace) if err != nil { @@ -1824,27 +1858,35 @@ func (data *TestData) mutateAntreaConfigMap(controllerChanges []configChange, ag } controllerConf := configMap.Data["antrea-controller.conf"] - for _, c := range controllerChanges { - controllerConf = replaceFieldValue(controllerConf, c) + for _, cg := range controllerChanges { + controllerConf = cg.ApplyChange(controllerConf) } + controllerConfChanged := controllerConf != configMap.Data["antrea-controller.conf"] configMap.Data["antrea-controller.conf"] = controllerConf + agentConf := configMap.Data["antrea-agent.conf"] - for _, c := range agentChanges { - agentConf = replaceFieldValue(agentConf, c) + for _, cg := range agentChanges { + agentConf = cg.ApplyChange(agentConf) } + agentConfChanged := agentConf != configMap.Data["antrea-agent.conf"] configMap.Data["antrea-agent.conf"] = agentConf + if !agentConfChanged && !controllerConfChanged { + // no config was changed, no need to call Update or restart anything + return nil + } + if _, err := data.clientset.CoreV1().ConfigMaps(antreaNamespace).Update(context.TODO(), configMap, metav1.UpdateOptions{}); err != nil { return fmt.Errorf("failed to update ConfigMap %s: %v", configMap.Name, err) } - if restartAgent { + if restartAgent && agentConfChanged { err = data.restartAntreaAgentPods(defaultTimeout) if err != nil { return fmt.Errorf("error when restarting antrea-agent Pod: %v", err) } } // controller should be restarted after agents in case of dataplane disruption caused by agent restart on Kind cluster. - if restartController { + if restartController && controllerConfChanged { _, err = data.restartAntreaControllerPod(defaultTimeout) if err != nil { return fmt.Errorf("error when restarting antrea-controller Pod: %v", err) @@ -1853,18 +1895,6 @@ func (data *TestData) mutateAntreaConfigMap(controllerChanges []configChange, ag return nil } -func replaceFieldValue(content string, c configChange) string { - var res string - if c.isFeatureGate { - r := regexp.MustCompile(fmt.Sprintf(`(?m)#? %s:.*$`, c.field)) - res = r.ReplaceAllString(content, fmt.Sprintf(" %s: %s", c.field, c.value)) - } else { - r := regexp.MustCompile(fmt.Sprintf(`(?m)#?.*%s:.*$`, c.field)) - res = r.ReplaceAllString(content, fmt.Sprintf("%s: %s", c.field, c.value)) - } - return res -} - // gracefulExitAntreaController copies the Antrea controller binary coverage data file out before terminating the Pod func (data *TestData) gracefulExitAntreaController(covDir string) error { antreaController, err := data.getAntreaController() diff --git a/test/e2e/framework_test.go b/test/e2e/framework_test.go index d265cc20ff4..93328682562 100644 --- a/test/e2e/framework_test.go +++ b/test/e2e/framework_test.go @@ -15,29 +15,54 @@ package e2e import ( + "strings" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "gopkg.in/yaml.v2" ) -func TestReplaceFieldValue(t *testing.T) { +func TestConfigChange(t *testing.T) { content := ` +featureGates: # featureGateField0: #field0: # field1: abc +field2: + nestedField: 7 ` - cs := []configChange{ - {"featureGateField0", "123", true}, - {"field0", "456", false}, - {"field1", "789", false}, + + changeField2 := func(content string) string { + var cfg interface{} + require.NoError(t, yaml.Unmarshal([]byte(content), &cfg)) + newField := map[string]interface{}{ + "nestedField": 8, + "nestedField2": true, + } + cfg.(map[interface{}]interface{})["field2"] = newField + b, err := yaml.Marshal(&cfg) + require.NoError(t, err) + return string(b) + } + + cgs := []configChange{ + &configChangeFeatureGate{"featureGateField0", true}, + &configChangeParam{"field0", "456"}, + &configChangeParam{"field1", "789"}, + &configChangeRaw{changeField2}, } expected := ` - featureGateField0: 123 +featureGates: + featureGateField0: true field0: 456 field1: 789 +field2: + nestedField: 8 + nestedField2: true ` - for _, c := range cs { - content = replaceFieldValue(content, c) + for _, cg := range cgs { + content = cg.ApplyChange(content) } - assert.Equal(t, expected, content) + assert.Equal(t, strings.TrimSpace(expected), strings.TrimSpace(content)) } diff --git a/test/e2e/nodeportlocal_test.go b/test/e2e/nodeportlocal_test.go index c6b9f155b62..423116935bc 100644 --- a/test/e2e/nodeportlocal_test.go +++ b/test/e2e/nodeportlocal_test.go @@ -26,12 +26,14 @@ import ( "time" "github.com/stretchr/testify/require" + "gopkg.in/yaml.v2" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" "antrea.io/antrea/pkg/agent/nodeportlocal/k8s" npltesting "antrea.io/antrea/pkg/agent/nodeportlocal/testing" + "antrea.io/antrea/pkg/features" ) const ( @@ -53,6 +55,37 @@ func newExpectedNPLAnnotations(nplStartPort, nplEndPort int) *npltesting.Expecte return npltesting.NewExpectedNPLAnnotations(nil, nplStartPort, nplEndPort) } +func skipIfNodePortLocalDisabled(tb testing.TB) { + skipIfFeatureDisabled(tb, features.NodePortLocal, true, false) +} + +func configureNPLForAgent(t *testing.T, data *TestData, startPort, endPort int) { + configureNPL := func(content string) string { + var cfg interface{} + if err := yaml.Unmarshal([]byte(content), &cfg); err != nil { + t.Fatalf("Failed to unmarshal Agent config: %v", err) + } + nplConfig := map[string]interface{}{ + "enable": true, + "portRange": fmt.Sprintf("%d-%d", startPort, endPort), + } + cfg.(map[interface{}]interface{})["nodePortLocal"] = nplConfig + b, err := yaml.Marshal(&cfg) + if err != nil { + t.Fatalf("Failed to marshal Agent config: %v", err) + } + return string(b) + } + + ac := []configChange{ + &configChangeRaw{configureNPL}, + } + + if err := data.mutateAntreaConfigMap(nil, ac, false, true); err != nil { + t.Fatalf("Failed to update NodePortLocal port range: %v", err) + } +} + // TestNodePortLocal is the top-level test which contains all subtests for // NodePortLocal related test cases so they can share setup, teardown. func TestNodePortLocal(t *testing.T) { @@ -64,6 +97,8 @@ func TestNodePortLocal(t *testing.T) { t.Fatalf("Error when setting up test: %v", err) } defer teardownTest(t, data) + skipIfNodePortLocalDisabled(t) + configureNPLForAgent(t, data, defaultStartPort, defaultEndPort) t.Run("testNPLAddPod", func(t *testing.T) { testNPLAddPod(t, data) }) t.Run("testNPLMultiplePodsAgentRestart", func(t *testing.T) { testNPLMultiplePodsAgentRestart(t, data) }) t.Run("testNPLChangePortRangeAgentRestart", func(t *testing.T) { testNPLChangePortRangeAgentRestart(t, data) }) @@ -219,27 +254,7 @@ func checkTrafficForNPL(data *TestData, r *require.Assertions, nplAnnotations [] } } -func enableNPLInConfigmap(t *testing.T, data *TestData) { - ac := []configChange{ - {"NodePortLocal", "true", true}, - {"nplPortRange", fmt.Sprintf("%d-%d", defaultStartPort, defaultEndPort), false}, - } - if err := data.mutateAntreaConfigMap(nil, ac, false, true); err != nil { - t.Fatalf("Failed to enable NodePortLocal feature: %v", err) - } -} - -func updateNPLPortRangeInConfigmap(t *testing.T, data *TestData, newStartPort, newEndPort int) { - ac := []configChange{ - {"nplPortRange", fmt.Sprintf("%d-%d", newStartPort, newEndPort), false}, - } - if err := data.mutateAntreaConfigMap(nil, ac, false, true); err != nil { - t.Fatalf("Failed to update NodePortLocal port range: %v", err) - } -} - func testNPLAddPod(t *testing.T, data *TestData) { - enableNPLInConfigmap(t, data) t.Run("NPLTestMultiplePods", NPLTestMultiplePods) t.Run("NPLTestPodAddMultiPort", NPLTestPodAddMultiPort) t.Run("NPLTestPodAddMultiProtocol", NPLTestPodAddMultiProtocol) @@ -456,7 +471,6 @@ func NPLTestLocalAccess(t *testing.T) { // - Restart Antrea Agent Pod. // - Verify Pod Annotation, iptables rules and traffic to test Pod. func testNPLMultiplePodsAgentRestart(t *testing.T, data *TestData) { - enableNPLInConfigmap(t, data) r := require.New(t) annotation := make(map[string]string) @@ -521,7 +535,6 @@ func testNPLMultiplePodsAgentRestart(t *testing.T, data *TestData) { // - Restart Antrea Agent Pods. // - Verify that updated port range is being used for NPL. func testNPLChangePortRangeAgentRestart(t *testing.T, data *TestData) { - enableNPLInConfigmap(t, data) r := require.New(t) annotation := make(map[string]string) @@ -562,7 +575,7 @@ func testNPLChangePortRangeAgentRestart(t *testing.T, data *TestData) { } } - updateNPLPortRangeInConfigmap(t, data, updatedStartPort, updatedEndPort) + configureNPLForAgent(t, data, updatedStartPort, updatedEndPort) antreaPod, err := data.getAntreaPodOnNode(node) r.NoError(err, "Error when getting Antrea Agent Pod on Node '%s'", node) diff --git a/test/e2e/security_test.go b/test/e2e/security_test.go index 2c9ce8b2df8..aaaa50e5d50 100644 --- a/test/e2e/security_test.go +++ b/test/e2e/security_test.go @@ -64,7 +64,7 @@ func testUserProvidedCert(t *testing.T, data *TestData) { // Re-configure antrea-controller to use user-provided cert. // Note antrea-controller must be restarted to take effect. cc := []configChange{ - {"selfSignedCert", "false", false}, + &configChangeParam{"selfSignedCert", "false"}, } if err := data.mutateAntreaConfigMap(cc, nil, false, false); err != nil { t.Fatalf("Failed to update ConfigMap: %v", err) diff --git a/test/e2e/tls_test.go b/test/e2e/tls_test.go index 625bff710ed..fd7b313b1a6 100644 --- a/test/e2e/tls_test.go +++ b/test/e2e/tls_test.go @@ -85,12 +85,12 @@ func (data *TestData) configureTLS(t *testing.T, cipherSuites []uint16, tlsMinVe } cc := []configChange{ - {"tlsCipherSuites", cipherSuitesStr, false}, - {"tlsMinVersion", tlsMinVersion, false}, + &configChangeParam{"tlsCipherSuites", cipherSuitesStr}, + &configChangeParam{"tlsMinVersion", tlsMinVersion}, } ac := []configChange{ - {"tlsCipherSuites", cipherSuitesStr, false}, - {"tlsMinVersion", tlsMinVersion, false}, + &configChangeParam{"tlsCipherSuites", cipherSuitesStr}, + &configChangeParam{"tlsMinVersion", tlsMinVersion}, } if err := data.mutateAntreaConfigMap(cc, ac, true, true); err != nil { t.Fatalf("Failed to configure Cipher Suites and TLSMinVersion: %v", err) diff --git a/test/e2e/wireguard_test.go b/test/e2e/wireguard_test.go index 9a403ce09fd..55bf2150954 100644 --- a/test/e2e/wireguard_test.go +++ b/test/e2e/wireguard_test.go @@ -51,14 +51,14 @@ func TestWireGuard(t *testing.T) { if !providerIsKind { ac := []configChange{ - {"trafficEncryptionMode", "wireguard", false}, + &configChangeParam{"trafficEncryptionMode", "wireguard"}, } if err := data.mutateAntreaConfigMap(nil, ac, false, true); err != nil { t.Fatalf("Failed to enable WireGuard tunnel: %v", err) } defer func() { ac = []configChange{ - {"trafficEncryptionMode", "none", false}, + &configChangeParam{"trafficEncryptionMode", "none"}, } if err := data.mutateAntreaConfigMap(nil, ac, false, true); err != nil { t.Fatalf("Failed to disable WireGuard tunnel: %v", err)