From 7eb93428d2d13acc14249875f47d2b8cd064c4b7 Mon Sep 17 00:00:00 2001 From: Yanjun Zhou Date: Wed, 29 Jun 2022 18:06:12 -0700 Subject: [PATCH] Add Flow Aggregator Helm Chart Signed-off-by: Yanjun Zhou --- .github/workflows/upload_release_assets.yml | 9 + .gitignore | 3 + build/charts/Makefile | 2 + build/charts/flow-aggregator/.helmignore | 23 ++ build/charts/flow-aggregator/Chart.yaml | 24 +++ build/charts/flow-aggregator/README.md | 44 ++++ .../conf/flow-aggregator.conf | 38 ++-- .../flow-aggregator/templates/NOTES.txt | 5 + .../flow-aggregator/templates/_helpers.tpl | 0 .../templates/clusterrole.yaml | 38 ++++ .../templates/clusterrolebinding.yaml | 14 ++ .../flow-aggregator/templates/configmap.yaml | 9 + .../flow-aggregator/templates/deployment.yaml | 78 +++++++ .../templates/id-reader-clusterrole.yaml | 14 ++ .../flow-aggregator/templates/role.yaml | 16 ++ .../templates/rolebinding.yaml | 15 ++ .../flow-aggregator/templates/secret.yaml | 11 + .../flow-aggregator/templates/service.yaml | 19 ++ .../templates/serviceaccount.yaml | 7 + build/charts/flow-aggregator/values.yaml | 65 ++++++ build/yamls/flow-aggregator.yml | 43 ++-- .../flow-aggregator/base/flow-aggregator.yml | 197 ------------------ .../flow-aggregator/base/kustomization.yml | 19 +- .../yamls/flow-aggregator/base/namespace.yaml | 7 + .../patches/coverage/startFlowAggCov.yml | 13 -- .../patches/dev/imagePullPolicy.yml | 11 - .../patches/kustomization.configMap.tpl.yml | 5 - .../patches/release/.gitignore | 1 - docs/network-flow-visibility.md | 58 +++--- hack/.markdownlint-ignore | 1 + hack/generate-helm-release.sh | 12 +- hack/generate-manifest-flow-aggregator.sh | 128 ++++++------ hack/release/prepare-assets.sh | 2 +- 33 files changed, 552 insertions(+), 379 deletions(-) create mode 100644 build/charts/flow-aggregator/.helmignore create mode 100644 build/charts/flow-aggregator/Chart.yaml create mode 100644 build/charts/flow-aggregator/README.md rename build/{yamls/flow-aggregator/base => charts/flow-aggregator}/conf/flow-aggregator.conf (76%) create mode 100644 build/charts/flow-aggregator/templates/NOTES.txt create mode 100644 build/charts/flow-aggregator/templates/_helpers.tpl create mode 100644 build/charts/flow-aggregator/templates/clusterrole.yaml create mode 100644 build/charts/flow-aggregator/templates/clusterrolebinding.yaml create mode 100644 build/charts/flow-aggregator/templates/configmap.yaml create mode 100644 build/charts/flow-aggregator/templates/deployment.yaml create mode 100644 build/charts/flow-aggregator/templates/id-reader-clusterrole.yaml create mode 100644 build/charts/flow-aggregator/templates/role.yaml create mode 100644 build/charts/flow-aggregator/templates/rolebinding.yaml create mode 100644 build/charts/flow-aggregator/templates/secret.yaml create mode 100644 build/charts/flow-aggregator/templates/service.yaml create mode 100644 build/charts/flow-aggregator/templates/serviceaccount.yaml create mode 100644 build/charts/flow-aggregator/values.yaml delete mode 100644 build/yamls/flow-aggregator/base/flow-aggregator.yml create mode 100644 build/yamls/flow-aggregator/base/namespace.yaml delete mode 100644 build/yamls/flow-aggregator/patches/coverage/startFlowAggCov.yml delete mode 100644 build/yamls/flow-aggregator/patches/dev/imagePullPolicy.yml delete mode 100644 build/yamls/flow-aggregator/patches/kustomization.configMap.tpl.yml delete mode 100644 build/yamls/flow-aggregator/patches/release/.gitignore diff --git a/.github/workflows/upload_release_assets.yml b/.github/workflows/upload_release_assets.yml index 42cb674baba..8ee5f1042d7 100644 --- a/.github/workflows/upload_release_assets.yml +++ b/.github/workflows/upload_release_assets.yml @@ -263,3 +263,12 @@ jobs: asset_path: ./assets/antrea-chart.tgz asset_name: antrea-chart.tgz asset_content_type: application/octet-stream + - name: Upload Flow Aggregator Helm chart archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ./assets/flow-aggregator-chart.tgz + asset_name: flow-aggregator-chart.tgz + asset_content_type: application/octet-stream diff --git a/.gitignore b/.gitignore index bc8905b6585..8d667890c29 100644 --- a/.gitignore +++ b/.gitignore @@ -12,6 +12,9 @@ bin # Emacs *~ +# Common backup files +*.bak + .idea/ .vscode/ vendor diff --git a/build/charts/Makefile b/build/charts/Makefile index b19bcfb6561..809f2c416da 100644 --- a/build/charts/Makefile +++ b/build/charts/Makefile @@ -8,3 +8,5 @@ helm-docs: docker run --rm --volume "$(CURDIR):/helm-docs" --user=$(USERID):$(GRPID) jnorwood/helm-docs:v1.7.0 sed -i.bak "s/0.0.0/$(VERSION)/g" antrea/README.md # replace version placeholder sed -i.bak "s/-dev-informational/--dev-informational/g" antrea/README.md # fix img.shields.io badge URLs + sed -i.bak "s/0.0.0/$(VERSION)/g" flow-aggregator/README.md # replace version placeholder + sed -i.bak "s/-dev-informational/--dev-informational/g" flow-aggregator/README.md # fix img.shields.io badge URLs diff --git a/build/charts/flow-aggregator/.helmignore b/build/charts/flow-aggregator/.helmignore new file mode 100644 index 00000000000..0e8a0eb36f4 --- /dev/null +++ b/build/charts/flow-aggregator/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/build/charts/flow-aggregator/Chart.yaml b/build/charts/flow-aggregator/Chart.yaml new file mode 100644 index 00000000000..df0f9f4d1b0 --- /dev/null +++ b/build/charts/flow-aggregator/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: flow-aggregator +type: application +displayName: Antrea Flow Aggregator +home: https://antrea.io/ +version: 0.0.0 +appVersion: 0.0.0 +kubeVersion: ">= 1.16.0-0" +icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg +description: Antrea Flow Aggregator +keywords: + - Kubernetes + - CNCF + - Networking + - CNI + - Security + - Open vSwitch + - OVS + - Antrea + - Observability + - Flow Visibility + - Flow Aggregator +sources: + - https://github.com/antrea-io/antrea diff --git a/build/charts/flow-aggregator/README.md b/build/charts/flow-aggregator/README.md new file mode 100644 index 00000000000..ede33ad963c --- /dev/null +++ b/build/charts/flow-aggregator/README.md @@ -0,0 +1,44 @@ +# flow-aggregator + +![Version: 1.7.0-dev](https://img.shields.io/badge/Version-1.7.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0-dev](https://img.shields.io/badge/AppVersion-1.7.0--dev-informational?style=flat-square) + +Antrea Flow Aggregator + +**Homepage:** + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.16.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| activeFlowRecordTimeout | string | `"60s"` | Provide the active flow record timeout as a duration string. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". | +| aggregatorTransportProtocol | string | `"tls"` | Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp. | +| apiServer.apiPort | int | `10348` | The port for the Flow Aggregator APIServer to serve on. | +| apiServer.tlsCipherSuites | string | `""` | Comma-separated list of cipher suites that will be used by the Flow Aggregator APIservers. If empty, the default Go Cipher Suites will be used. | +| apiServer.tlsMinVersion | string | `""` | TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. | +| clickHouse.commitInterval | string | `"8s"` | CommitInterval is the periodical interval between batch commit of flow records to DB. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". | +| clickHouse.compress | bool | `true` | Compress enables lz4 compression when committing flow records. | +| clickHouse.connectionSecret | object | `{"password":"clickhouse_operator_password","username":"clickhouse_operator"}` | Credentials to connect to ClickHouse. They will be stored in a Secret. | +| clickHouse.databaseURL | string | `"tcp://clickhouse-clickhouse.flow-visibility.svc:9000"` | | +| clickHouse.debug | bool | `false` | Debug enables debug logs from ClickHouse sql driver. | +| clickHouse.enable | bool | `false` | Determine whether to enable exporting flow records to ClickHouse. | +| flowAggregatorAddress | string | `"flow-aggregator.flow-aggregator.svc"` | Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match the flowCollectorAddr parameter in the antrea-agent config. | +| flowCollector.address | string | `""` | Provide the flow collector address as string with format :[:], where proto is tcp or udp. If no L4 transport proto is given, we consider tcp as default. | +| flowCollector.enable | bool | `false` | Determine whether to enable exporting flow records to external flow collector. | +| flowCollector.observationDomainID | string | `""` | Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated from the persistent cluster UUID generated by Antrea. | +| flowCollector.recordFormat | string | `"IPFIX"` | Provide format for records sent to the configured flow collector. Supported formats are IPFIX and JSON. | +| image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/flow-aggregator","tag":"latest"}` | Container image used by Flow Aggregator. | +| inactiveFlowRecordTimeout | string | `"90s"` | Provide the inactive flow record timeout as a duration string. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". | +| logVerbosity | int | `0` | | +| recordContents.podLabels | bool | `false` | Determine whether source and destination Pod labels will be included in the flow records. | +| testing.coverage | bool | `false` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0) diff --git a/build/yamls/flow-aggregator/base/conf/flow-aggregator.conf b/build/charts/flow-aggregator/conf/flow-aggregator.conf similarity index 76% rename from build/yamls/flow-aggregator/base/conf/flow-aggregator.conf rename to build/charts/flow-aggregator/conf/flow-aggregator.conf index bc90b1319bc..015ea9e2297 100644 --- a/build/yamls/flow-aggregator/base/conf/flow-aggregator.conf +++ b/build/charts/flow-aggregator/conf/flow-aggregator.conf @@ -4,81 +4,85 @@ # will be exported to the collector once the elapsed time since the last export # event in the flow aggregator is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". -#activeFlowRecordTimeout: 60s +activeFlowRecordTimeout: {{ .Values.activeFlowRecordTimeout }} # Provide the inactive flow record timeout as a duration string. This determines # how often the flow aggregator exports the inactive flow records to the flow # collector. A flow record is considered to be inactive if no matching record # has been received by the flow aggregator in the specified interval. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". -#inactiveFlowRecordTimeout: 90s +inactiveFlowRecordTimeout: {{ .Values.inactiveFlowRecordTimeout }} # Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp. -#aggregatorTransportProtocol: "tls" +aggregatorTransportProtocol: {{ .Values.aggregatorTransportProtocol | quote }} # Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match # the flowCollectorAddr parameter in the antrea-agent config. -#flowAggregatorAddress: "flow-aggregator.flow-aggregator.svc" +flowAggregatorAddress: {{ .Values.flowAggregatorAddress | quote }} # recordContents enables configuring some fields in the flow records. Fields can # be excluded to reduce record size, but some features or external tooling may # depend on these fields. recordContents: # Determine whether source and destination Pod labels will be included in the flow records. - #podLabels: false + podLabels: {{ .Values.recordContents.podLabels }} # apiServer contains APIServer related configuration options. apiServer: # The port for the flow-aggregator APIServer to serve on. - #apiPort: 10348 + apiPort: {{ .Values.apiServer.apiPort }} # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: {{ .Values.apiServer.tlsCipherSuites | quote }} # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: {{ .Values.apiServer.tlsMinVersion | quote }} # flowCollector contains external IPFIX or JSON collector related configuration options. flowCollector: # Enable is the switch to enable exporting flow records to external flow collector. - #enable: false + enable: {{ .Values.flowCollector.enable }} # Provide the flow collector address as string with format :[:], where proto is tcp or udp. # If no L4 transport proto is given, we consider tcp as default. - #address: "" + address: {{ .Values.flowCollector.address | quote }} # Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow # aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated # from the persistent cluster UUID generated by Antrea. Failing that (e.g. because the cluster UUID # is not available), a value will be randomly generated, which may vary across restarts of the flow # aggregator. + {{- if .Values.flowCollector.observationDomainID }} + observationDomainID: {{ .Values.flowCollector.observationDomainID }} + {{- else }} #observationDomainID: + {{- end }} # Provide format for records sent to the configured flow collector. # Supported formats are IPFIX and JSON. - #recordFormat: "IPFIX" + recordFormat: {{ .Values.flowCollector.recordFormat | quote }} # clickHouse contains ClickHouse related configuration options. clickHouse: # Enable is the switch to enable exporting flow records to ClickHouse. - #enable: false + enable: {{ .Values.clickHouse.enable }} # Database is the name of database where Antrea "flows" table is created. - #database: "default" + database: "default" # DatabaseURL is the url to the database. TCP protocol is required. - #databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000" + databaseURL: {{ .Values.clickHouse.databaseURL | quote }} # Debug enables debug logs from ClickHouse sql driver. - #debug: false + debug: {{ .Values.clickHouse.debug }} # Compress enables lz4 compression when committing flow records. - #compress: true + compress: {{ .Values.clickHouse.compress }} # CommitInterval is the periodical interval between batch commit of flow records to DB. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". # The minimum interval is 1s based on ClickHouse documentation for best performance. - #commitInterval: "8s" + commitInterval: {{ .Values.clickHouse.commitInterval | quote }} diff --git a/build/charts/flow-aggregator/templates/NOTES.txt b/build/charts/flow-aggregator/templates/NOTES.txt new file mode 100644 index 00000000000..eebd6873f7d --- /dev/null +++ b/build/charts/flow-aggregator/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Antrea Flow Aggregator has been successfully installed + +You are using version {{ .Chart.Version }} + +For the Antrea documentation, please visit https://antrea.io diff --git a/build/charts/flow-aggregator/templates/_helpers.tpl b/build/charts/flow-aggregator/templates/_helpers.tpl new file mode 100644 index 00000000000..e69de29bb2d diff --git a/build/charts/flow-aggregator/templates/clusterrole.yaml b/build/charts/flow-aggregator/templates/clusterrole.yaml new file mode 100644 index 00000000000..200c9e232b0 --- /dev/null +++ b/build/charts/flow-aggregator/templates/clusterrole.yaml @@ -0,0 +1,38 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + app: flow-aggregator + name: flow-aggregator-role +rules: + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["flow-aggregator-ca"] + verbs: ["get", "update"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch"] + # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. + # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will + # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. + # See https://github.com/kubernetes/kubernetes/pull/85375 + # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on + # the extension-apiserver-authentication role. + - apiGroups: [""] + resourceNames: ["extension-apiserver-authentication"] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["flow-aggregator-client-tls"] + verbs: ["get", "update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] + - apiGroups: [ "" ] + resources: [ "configmaps" ] + resourceNames: [ "flow-aggregator-configmap" ] + verbs: [ "update" ] diff --git a/build/charts/flow-aggregator/templates/clusterrolebinding.yaml b/build/charts/flow-aggregator/templates/clusterrolebinding.yaml new file mode 100644 index 00000000000..caf9065de7c --- /dev/null +++ b/build/charts/flow-aggregator/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + app: flow-aggregator + name: flow-aggregator-cluster-role-binding +subjects: + - kind: ServiceAccount + name: flow-aggregator + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: flow-aggregator-role + apiGroup: rbac.authorization.k8s.io diff --git a/build/charts/flow-aggregator/templates/configmap.yaml b/build/charts/flow-aggregator/templates/configmap.yaml new file mode 100644 index 00000000000..c85468edfc4 --- /dev/null +++ b/build/charts/flow-aggregator/templates/configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: flow-aggregator-configmap + namespace: {{ .Release.Namespace }} + labels: + app: flow-aggregator +data: +{{ tpl (.Files.Glob "conf/*").AsConfig . | indent 2 | replace " \n" "\n" }} diff --git a/build/charts/flow-aggregator/templates/deployment.yaml b/build/charts/flow-aggregator/templates/deployment.yaml new file mode 100644 index 00000000000..59016ea849f --- /dev/null +++ b/build/charts/flow-aggregator/templates/deployment.yaml @@ -0,0 +1,78 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: flow-aggregator + name: flow-aggregator + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: flow-aggregator + template: + metadata: + labels: + app: flow-aggregator + spec: + containers: + - name: flow-aggregator + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.testing.coverage }} + command: [ "/bin/sh" ] + args: [ "-c", "flow-aggregator-coverage -test.run=TestBincoverRunMain -test.coverprofile=flow-aggregator.cov.out -args-file=/flow-aggregator-arg-file; while true; do sleep 5 & wait $!; done" ] + {{- else }} + args: + - --config + - /etc/flow-aggregator/flow-aggregator.conf + - --logtostderr=false + - --log_dir=/var/log/antrea/flow-aggregator + - --alsologtostderr + - --log_file_max_size=100 + - --log_file_max_num=4 + {{- if .Values.logVerbosity }} + - "--v={{ .Values.logVerbosity }}" + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CH_USERNAME + valueFrom: + secretKeyRef: + name: clickhouse-secret + key: username + - name: CH_PASSWORD + valueFrom: + secretKeyRef: + name: clickhouse-secret + key: password + - name: FA_CONFIG_MAP_NAME + value: flow-aggregator-configmap + ports: + - containerPort: 4739 + volumeMounts: + - mountPath: /etc/flow-aggregator + name: flow-aggregator-config + readOnly: true + - mountPath: /var/log/antrea/flow-aggregator + name: host-var-log-antrea-flow-aggregator + nodeSelector: + kubernetes.io/os: linux + kubernetes.io/arch: amd64 + serviceAccountName: flow-aggregator + volumes: + - name: flow-aggregator-config + configMap: + name: flow-aggregator-configmap + - name: host-var-log-antrea-flow-aggregator + hostPath: + path: /var/log/antrea/flow-aggregator + type: DirectoryOrCreate diff --git a/build/charts/flow-aggregator/templates/id-reader-clusterrole.yaml b/build/charts/flow-aggregator/templates/id-reader-clusterrole.yaml new file mode 100644 index 00000000000..da5d9b73650 --- /dev/null +++ b/build/charts/flow-aggregator/templates/id-reader-clusterrole.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + app: flow-aggregator + name: flow-aggregator-cluster-id-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: antrea-cluster-identity-reader +subjects: + - kind: ServiceAccount + name: flow-aggregator + namespace: {{ .Release.Namespace }} diff --git a/build/charts/flow-aggregator/templates/role.yaml b/build/charts/flow-aggregator/templates/role.yaml new file mode 100644 index 00000000000..8fcd26601ce --- /dev/null +++ b/build/charts/flow-aggregator/templates/role.yaml @@ -0,0 +1,16 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + app: flow-aggregator + name: flow-exporter-role + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["flow-aggregator-ca"] + verbs: ["get"] + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["flow-aggregator-client-tls"] + verbs: ["get"] diff --git a/build/charts/flow-aggregator/templates/rolebinding.yaml b/build/charts/flow-aggregator/templates/rolebinding.yaml new file mode 100644 index 00000000000..7e19235e9fd --- /dev/null +++ b/build/charts/flow-aggregator/templates/rolebinding.yaml @@ -0,0 +1,15 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + app: flow-aggregator + name: flow-exporter-role-binding + namespace: {{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: antrea-agent + namespace: kube-system +roleRef: + kind: Role + name: flow-exporter-role + apiGroup: rbac.authorization.k8s.io diff --git a/build/charts/flow-aggregator/templates/secret.yaml b/build/charts/flow-aggregator/templates/secret.yaml new file mode 100644 index 00000000000..cd5da4267fe --- /dev/null +++ b/build/charts/flow-aggregator/templates/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + app: flow-aggregator + name: clickhouse-secret + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + username: {{ .Values.clickHouse.connectionSecret.username }} + password: {{ .Values.clickHouse.connectionSecret.password }} diff --git a/build/charts/flow-aggregator/templates/service.yaml b/build/charts/flow-aggregator/templates/service.yaml new file mode 100644 index 00000000000..db302cf8162 --- /dev/null +++ b/build/charts/flow-aggregator/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: flow-aggregator + name: flow-aggregator + namespace: {{ .Release.Namespace }} +spec: + selector: + app: flow-aggregator + ports: + - name: ipfix-udp + port: 4739 + protocol: UDP + targetPort: 4739 + - name: ipfix-tcp + port: 4739 + protocol: TCP + targetPort: 4739 diff --git a/build/charts/flow-aggregator/templates/serviceaccount.yaml b/build/charts/flow-aggregator/templates/serviceaccount.yaml new file mode 100644 index 00000000000..8dca8c53d5b --- /dev/null +++ b/build/charts/flow-aggregator/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: flow-aggregator + name: flow-aggregator + namespace: {{ .Release.Namespace }} diff --git a/build/charts/flow-aggregator/values.yaml b/build/charts/flow-aggregator/values.yaml new file mode 100644 index 00000000000..92193004264 --- /dev/null +++ b/build/charts/flow-aggregator/values.yaml @@ -0,0 +1,65 @@ +# -- Container image used by Flow Aggregator. +image: + repository: "projects.registry.vmware.com/antrea/flow-aggregator" + pullPolicy: "IfNotPresent" + tag: "latest" +# -- Provide the active flow record timeout as a duration string. +# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". +activeFlowRecordTimeout: 60s +# -- Provide the inactive flow record timeout as a duration string. +# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". +inactiveFlowRecordTimeout: 90s +# -- Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp. +aggregatorTransportProtocol: "tls" +# -- Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match +# the flowCollectorAddr parameter in the antrea-agent config. +flowAggregatorAddress: "flow-aggregator.flow-aggregator.svc" +# recordContents enables configuring some fields in the flow records. +recordContents: + # -- Determine whether source and destination Pod labels will be included in the flow records. + podLabels: false +# apiServer contains APIServer related configuration options. +apiServer: + # -- The port for the Flow Aggregator APIServer to serve on. + apiPort: 10348 + # -- Comma-separated list of cipher suites that will be used by the Flow Aggregator + # APIservers. If empty, the default Go Cipher Suites will be used. + tlsCipherSuites: "" + # -- TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" +# flowCollector contains external IPFIX or JSON collector related configuration options. +flowCollector: + # -- Determine whether to enable exporting flow records to external flow collector. + enable: false + # -- Provide the flow collector address as string with format :[:], + # where proto is tcp or udp. If no L4 transport proto is given, we consider tcp as default. + address: "" + # -- Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow + # aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated + # from the persistent cluster UUID generated by Antrea. + observationDomainID: "" + # -- Provide format for records sent to the configured flow collector. + # Supported formats are IPFIX and JSON. + recordFormat: "IPFIX" +# clickHouse contains ClickHouse related configuration options. +clickHouse: + # -- Determine whether to enable exporting flow records to ClickHouse. + enable: false + # DatabaseURL is the url to the database. TCP protocol is required. + databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000" + # -- Debug enables debug logs from ClickHouse sql driver. + debug: false + # -- Compress enables lz4 compression when committing flow records. + compress: true + # -- CommitInterval is the periodical interval between batch commit of flow records to DB. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + commitInterval: "8s" + # -- Credentials to connect to ClickHouse. They will be stored in a Secret. + connectionSecret: + username : "clickhouse_operator" + password: "clickhouse_operator_password" +testing: + ## -- Enable code coverage measurement (used when testing Flow Aggregator only). + coverage: false +## -- Log verbosity switch for Flow Aggregator. +logVerbosity: 0 diff --git a/build/yamls/flow-aggregator.yml b/build/yamls/flow-aggregator.yml index 56ecc83bdf8..81a6be051be 100644 --- a/build/yamls/flow-aggregator.yml +++ b/build/yamls/flow-aggregator.yml @@ -99,7 +99,7 @@ rules: - apiGroups: - "" resourceNames: - - flow-aggregator-configmap-7572tg842t + - flow-aggregator-configmap resources: - configmaps verbs: @@ -160,51 +160,51 @@ data: # will be exported to the collector once the elapsed time since the last export # event in the flow aggregator is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowRecordTimeout: 60s + activeFlowRecordTimeout: 60s # Provide the inactive flow record timeout as a duration string. This determines # how often the flow aggregator exports the inactive flow records to the flow # collector. A flow record is considered to be inactive if no matching record # has been received by the flow aggregator in the specified interval. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #inactiveFlowRecordTimeout: 90s + inactiveFlowRecordTimeout: 90s # Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp. - #aggregatorTransportProtocol: "tls" + aggregatorTransportProtocol: "tls" # Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match # the flowCollectorAddr parameter in the antrea-agent config. - #flowAggregatorAddress: "flow-aggregator.flow-aggregator.svc" + flowAggregatorAddress: "flow-aggregator.flow-aggregator.svc" # recordContents enables configuring some fields in the flow records. Fields can # be excluded to reduce record size, but some features or external tooling may # depend on these fields. recordContents: # Determine whether source and destination Pod labels will be included in the flow records. - #podLabels: false + podLabels: false # apiServer contains APIServer related configuration options. apiServer: # The port for the flow-aggregator APIServer to serve on. - #apiPort: 10348 + apiPort: 10348 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: + tlsMinVersion: "" # flowCollector contains external IPFIX or JSON collector related configuration options. flowCollector: # Enable is the switch to enable exporting flow records to external flow collector. - #enable: false + enable: false # Provide the flow collector address as string with format :[:], where proto is tcp or udp. # If no L4 transport proto is given, we consider tcp as default. - #address: "" + address: "" # Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow # aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated @@ -215,34 +215,34 @@ data: # Provide format for records sent to the configured flow collector. # Supported formats are IPFIX and JSON. - #recordFormat: "IPFIX" + recordFormat: "IPFIX" # clickHouse contains ClickHouse related configuration options. clickHouse: # Enable is the switch to enable exporting flow records to ClickHouse. - #enable: false + enable: false # Database is the name of database where Antrea "flows" table is created. - #database: "default" + database: "default" # DatabaseURL is the url to the database. TCP protocol is required. - #databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000" + databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000" # Debug enables debug logs from ClickHouse sql driver. - #debug: false + debug: false # Compress enables lz4 compression when committing flow records. - #compress: true + compress: true # CommitInterval is the periodical interval between batch commit of flow records to DB. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". # The minimum interval is 1s based on ClickHouse documentation for best performance. - #commitInterval: "8s" + commitInterval: "8s" kind: ConfigMap metadata: labels: app: flow-aggregator - name: flow-aggregator-configmap-7572tg842t + name: flow-aggregator-configmap namespace: flow-aggregator --- apiVersion: v1 @@ -303,7 +303,6 @@ spec: - --alsologtostderr - --log_file_max_size=100 - --log_file_max_num=4 - - --v=0 env: - name: POD_NAME valueFrom: @@ -324,7 +323,7 @@ spec: key: password name: clickhouse-secret - name: FA_CONFIG_MAP_NAME - value: flow-aggregator-configmap-7572tg842t + value: flow-aggregator-configmap image: projects.registry.vmware.com/antrea/flow-aggregator:latest imagePullPolicy: IfNotPresent name: flow-aggregator @@ -342,7 +341,7 @@ spec: serviceAccountName: flow-aggregator volumes: - configMap: - name: flow-aggregator-configmap-7572tg842t + name: flow-aggregator-configmap name: flow-aggregator-config - hostPath: path: /var/log/antrea/flow-aggregator diff --git a/build/yamls/flow-aggregator/base/flow-aggregator.yml b/build/yamls/flow-aggregator/base/flow-aggregator.yml deleted file mode 100644 index 533eb19eee1..00000000000 --- a/build/yamls/flow-aggregator/base/flow-aggregator.yml +++ /dev/null @@ -1,197 +0,0 @@ -# Create a namespace for Flow Aggregator service -apiVersion: v1 -kind: Namespace -metadata: - name: flow-aggregator ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: flow-aggregator - namespace: flow-aggregator ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: flow-aggregator-role -rules: - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["flow-aggregator-ca"] - verbs: ["get", "update"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch"] - # This is the content of built-in role kube-system/extension-apiserver-authentication-reader. - # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will - # have permission issue after bumping up apiserver library to a version that supports dynamic authentication. - # See https://github.com/kubernetes/kubernetes/pull/85375 - # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on - # the extension-apiserver-authentication role. - - apiGroups: [""] - resourceNames: ["extension-apiserver-authentication"] - resources: ["configmaps"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["secrets"] - resourceNames: ["flow-aggregator-client-tls"] - verbs: ["get", "update"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] - - apiGroups: [ "" ] - resources: [ "configmaps" ] - resourceNames: [ "flow-aggregator-configmap" ] - verbs: [ "update" ] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: flow-aggregator-cluster-role-binding -subjects: - - kind: ServiceAccount - name: flow-aggregator - namespace: flow-aggregator -roleRef: - kind: ClusterRole - name: flow-aggregator-role - apiGroup: rbac.authorization.k8s.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: flow-exporter-role - namespace: flow-aggregator -rules: - - apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["flow-aggregator-ca"] - verbs: ["get"] - - apiGroups: [""] - resources: ["secrets"] - resourceNames: ["flow-aggregator-client-tls"] - verbs: ["get"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: flow-exporter-role-binding - namespace: flow-aggregator -subjects: -- kind: ServiceAccount - name: antrea-agent - namespace: kube-system -roleRef: - kind: Role - name: flow-exporter-role - apiGroup: rbac.authorization.k8s.io ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: flow-aggregator-cluster-id-reader -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: antrea-cluster-identity-reader -subjects: - - kind: ServiceAccount - name: flow-aggregator - namespace: flow-aggregator ---- -apiVersion: v1 -kind: Service -metadata: - name: flow-aggregator - namespace: flow-aggregator -spec: - selector: - app: flow-aggregator - ports: - - name: ipfix-udp - port: 4739 - protocol: UDP - targetPort: 4739 - - name: ipfix-tcp - port: 4739 - protocol: TCP - targetPort: 4739 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: flow-aggregator - namespace: flow-aggregator -spec: - replicas: 1 - selector: - matchLabels: - app: flow-aggregator - template: - spec: - containers: - - args: - - --config - - /etc/flow-aggregator/flow-aggregator.conf - - --logtostderr=false - - --log_dir=/var/log/antrea/flow-aggregator - - --alsologtostderr - - --log_file_max_size=100 - - --log_file_max_num=4 - - --v=0 - name: flow-aggregator - image: flow-aggregator - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CH_USERNAME - valueFrom: - secretKeyRef: - name: clickhouse-secret - key: username - - name: CH_PASSWORD - valueFrom: - secretKeyRef: - name: clickhouse-secret - key: password - - name: FA_CONFIG_MAP_NAME - value: "$(FA_CONFIG_MAP_NAME)" - ports: - - containerPort: 4739 - volumeMounts: - - mountPath: /etc/flow-aggregator - name: flow-aggregator-config - readOnly: true - - mountPath: /var/log/antrea/flow-aggregator - name: host-var-log-antrea-flow-aggregator - nodeSelector: - kubernetes.io/os: linux - kubernetes.io/arch: amd64 - serviceAccountName: flow-aggregator - volumes: - - name: flow-aggregator-config - configMap: - name: flow-aggregator-configmap - - name: host-var-log-antrea-flow-aggregator - hostPath: - path: /var/log/antrea/flow-aggregator - type: DirectoryOrCreate ---- -apiVersion: v1 -kind: Secret -metadata: - name: clickhouse-secret - namespace: flow-aggregator -type: Opaque -stringData: - username: clickhouse_operator - password: clickhouse_operator_password diff --git a/build/yamls/flow-aggregator/base/kustomization.yml b/build/yamls/flow-aggregator/base/kustomization.yml index 961a8fdca4b..1c57ef51aaa 100644 --- a/build/yamls/flow-aggregator/base/kustomization.yml +++ b/build/yamls/flow-aggregator/base/kustomization.yml @@ -1,17 +1,6 @@ -resources: -- flow-aggregator.yml -configMapGenerator: -- files: - - conf/flow-aggregator.conf - name: flow-aggregator-configmap -commonLabels: - app: flow-aggregator -namespace: flow-aggregator apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -vars: - - name: FA_CONFIG_MAP_NAME - objref: - kind: ConfigMap - name: flow-aggregator-configmap - apiVersion: v1 +namespace: flow-aggregator +resources: +- namespace.yaml +- manifest.yaml diff --git a/build/yamls/flow-aggregator/base/namespace.yaml b/build/yamls/flow-aggregator/base/namespace.yaml new file mode 100644 index 00000000000..8ff402404cf --- /dev/null +++ b/build/yamls/flow-aggregator/base/namespace.yaml @@ -0,0 +1,7 @@ +# Create a Namespace for Flow Aggregator Service +apiVersion: v1 +kind: Namespace +metadata: + labels: + app: flow-aggregator + name: flow-aggregator diff --git a/build/yamls/flow-aggregator/patches/coverage/startFlowAggCov.yml b/build/yamls/flow-aggregator/patches/coverage/startFlowAggCov.yml deleted file mode 100644 index b8bdf750a0f..00000000000 --- a/build/yamls/flow-aggregator/patches/coverage/startFlowAggCov.yml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: flow-aggregator - namespace: flow-aggregator -spec: - template: - spec: - containers: - - name: flow-aggregator - image: antrea/flow-aggregator-coverage:latest - command: [ "/bin/sh" ] - args: [ "-c", "flow-aggregator-coverage -test.run=TestBincoverRunMain -test.coverprofile=flow-aggregator.cov.out -args-file=/flow-aggregator-arg-file; while true; do sleep 5 & wait $!; done" ] diff --git a/build/yamls/flow-aggregator/patches/dev/imagePullPolicy.yml b/build/yamls/flow-aggregator/patches/dev/imagePullPolicy.yml deleted file mode 100644 index 93e5291622a..00000000000 --- a/build/yamls/flow-aggregator/patches/dev/imagePullPolicy.yml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: flow-aggregator - namespace: flow-aggregator -spec: - template: - spec: - containers: - - name: flow-aggregator - imagePullPolicy: IfNotPresent diff --git a/build/yamls/flow-aggregator/patches/kustomization.configMap.tpl.yml b/build/yamls/flow-aggregator/patches/kustomization.configMap.tpl.yml deleted file mode 100644 index 18972aa97c3..00000000000 --- a/build/yamls/flow-aggregator/patches/kustomization.configMap.tpl.yml +++ /dev/null @@ -1,5 +0,0 @@ -configMapGenerator: -- name: flow-aggregator-configmap - behavior: merge - files: - - diff --git a/build/yamls/flow-aggregator/patches/release/.gitignore b/build/yamls/flow-aggregator/patches/release/.gitignore deleted file mode 100644 index fdffa2a0fd7..00000000000 --- a/build/yamls/flow-aggregator/patches/release/.gitignore +++ /dev/null @@ -1 +0,0 @@ -# placeholder diff --git a/docs/network-flow-visibility.md b/docs/network-flow-visibility.md index 366624cb9d6..f88cadb1a54 100644 --- a/docs/network-flow-visibility.md +++ b/docs/network-flow-visibility.md @@ -292,84 +292,84 @@ flow-aggregator.conf: | # will be exported to the collector once the elapsed time since the last export # event in the flow aggregator is equal to the value of this timeout. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #activeFlowRecordTimeout: 60s + activeFlowRecordTimeout: 60s # Provide the inactive flow record timeout as a duration string. This determines # how often the flow aggregator exports the inactive flow records to the flow # collector. A flow record is considered to be inactive if no matching record # has been received by the flow aggregator in the specified interval. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - #inactiveFlowRecordTimeout: 90s - + inactiveFlowRecordTimeout: 90s + # Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp. - #aggregatorTransportProtocol: "tls" - + aggregatorTransportProtocol: "tls" + # Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match # the flowCollectorAddr parameter in the antrea-agent config. - #flowAggregatorAddress: "flow-aggregator.flow-aggregator.svc" + flowAggregatorAddress: "flow-aggregator.flow-aggregator.svc" # recordContents enables configuring some fields in the flow records. Fields can # be excluded to reduce record size, but some features or external tooling may # depend on these fields. recordContents: # Determine whether source and destination Pod labels will be included in the flow records. - #podLabels: false + podLabels: false # apiServer contains APIServer related configuration options. apiServer: # The port for the flow-aggregator APIServer to serve on. - #apiPort: 10348 + apiPort: 10348 # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. # https://golang.org/pkg/crypto/tls/#pkg-constants # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always # prefer TLS1.3 Cipher Suites whenever possible. - #tlsCipherSuites: + tlsCipherSuites: "" # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - #tlsMinVersion: - + tlsMinVersion: "" + # flowCollector contains external IPFIX or JSON collector related configuration options. flowCollector: # Enable is the switch to enable exporting flow records to external flow collector. - #enable: false - + enable: false + # Provide the flow collector address as string with format :[:], where proto is tcp or udp. # If no L4 transport proto is given, we consider tcp as default. - address: "192.168.86.86:4739:tcp" - + address: "" + # Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow # aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated # from the persistent cluster UUID generated by Antrea. Failing that (e.g. because the cluster UUID # is not available), a value will be randomly generated, which may vary across restarts of the flow # aggregator. #observationDomainID: - + # Provide format for records sent to the configured flow collector. # Supported formats are IPFIX and JSON. - #recordFormat: "IPFIX" - + recordFormat: "IPFIX" + # clickHouse contains ClickHouse related configuration options. clickHouse: # Enable is the switch to enable exporting flow records to ClickHouse. - #enable: false - + enable: false + # Database is the name of database where Antrea "flows" table is created. - #database: "default" - + database: "default" + # DatabaseURL is the url to the database. TCP protocol is required. - #databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000" - + databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000" + # Debug enables debug logs from ClickHouse sql driver. - #debug: false - + debug: false + # Compress enables lz4 compression when committing flow records. - #compress: true - + compress: true + # CommitInterval is the periodical interval between batch commit of flow records to DB. # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". # The minimum interval is 1s based on ClickHouse documentation for best performance. - #commitInterval: "8s" + commitInterval: "8s" ``` Please note that the default values for `activeFlowRecordTimeout`, diff --git a/hack/.markdownlint-ignore b/hack/.markdownlint-ignore index 724578f287c..8c7c146da4f 100644 --- a/hack/.markdownlint-ignore +++ b/hack/.markdownlint-ignore @@ -4,3 +4,4 @@ hack/netpol CODE_OF_CONDUCT.md # auto-generated file build/charts/antrea/README.md +build/charts/flow-aggregator/README.md diff --git a/hack/generate-helm-release.sh b/hack/generate-helm-release.sh index e3187cbf18e..9eae0780080 100755 --- a/hack/generate-helm-release.sh +++ b/hack/generate-helm-release.sh @@ -20,10 +20,10 @@ function echoerr { >&2 echo "$@" } -_usage="Usage: $0 [--mode (dev|release)] --out -Package the Antrea chart into a chart archive. +_usage="Usage: $0 [--mode (dev|release)] --out +Package the Antrea chart and the Flow Aggregator chart into chart archives. Environment variable VERSION must be set. - --out Output path for chart archive + --out Output directory for chart archives --help, -h Print this message and exit You can set the HELM environment variable to the path of the helm binary you want us to @@ -90,4 +90,8 @@ fi ANTREA_CHART="$THIS_DIR/../build/charts/antrea" $HELM package --app-version $VERSION --version $VERSION $ANTREA_CHART -mv "antrea-$VERSION.tgz" $OUT +mv "antrea-$VERSION.tgz" "$OUT/antrea-chart.tgz" + +FLOW_AGGREGATOR_CHART="$THIS_DIR/../build/charts/flow-aggregator" +$HELM package --app-version $VERSION --version $VERSION $FLOW_AGGREGATOR_CHART +mv "flow-aggregator-$VERSION.tgz" "$OUT/flow-aggregator-chart.tgz" diff --git a/hack/generate-manifest-flow-aggregator.sh b/hack/generate-manifest-flow-aggregator.sh index 637e6f444c3..3a1ccd4258b 100755 --- a/hack/generate-manifest-flow-aggregator.sh +++ b/hack/generate-manifest-flow-aggregator.sh @@ -20,13 +20,12 @@ function echoerr { >&2 echo "$@" } -_usage="Usage: $0 [--mode (dev|release)] [-fc|--flow-collector ] [-ch|--clickhouse] [--keep] [--help|-h] -Generate a YAML manifest for the Flow Aggregator, using Kustomize, and print it to stdout. +_usage="Usage: $0 [--mode (dev|release)] [-fc|--flow-collector ] [-ch|--clickhouse] [--verbose-log] [--help|-h] +Generate a YAML manifest for the Flow Aggregator, using Helm and Kustomize, and print it to stdout. --mode (dev|release) Choose the configuration variant that you need (default is 'dev'). --flow-collector, -fc Specify the flowCollector address. It should be given in format IP:port:proto. Example: 192.168.1.100:4739:udp. --clickhouse, -ch Enable exporting flow records to default ClickHouse service address. - --keep Debug flag which will preserve the generated kustomization.yml. --coverage Generate a manifest which supports measuring code coverage of the Flow Aggregator binaries. --verbose-log Generate a manifest with increased log-level (level 4) for the Flow Aggregator. This option will work only with 'dev' mode. @@ -34,10 +33,14 @@ Generate a YAML manifest for the Flow Aggregator, using Kustomize, and print it In 'release' mode, environment variables IMG_NAME and IMG_TAG must be set. -This tool uses kustomize (https://github.com/kubernetes-sigs/kustomize) to generate manifests for -running Antrea on Windows Nodes. You can set the KUSTOMIZE environment variable to the path of the -kustomize binary you want us to use. Otherwise we will look for kustomize in your PATH and your -GOPATH. If we cannot find kustomize there, we will try to install it." +In 'dev' mode, environment variable IMG_NAME can be set to use a custom image. + +This tool uses Helm 3 (https://helm.sh/) and Kustomize (https://github.com/kubernetes-sigs/kustomize) +to generate the manifest for Flow Aggregator. You can set the HELM and KUSTOMIZE environment +variable to the paths of the helm and kustomize binaries you want us to use. Otherwise we +will download the appropriate version of the helm and kustomize binary and use it (this is +the recommended approach since different versions of helm and kustomize may create different +output YAMLs)." function print_usage { echoerr "$_usage" @@ -48,7 +51,6 @@ function print_help { } MODE="dev" -KEEP=false FLOW_COLLECTOR="" CLICKHOUSE=false COVERAGE=false @@ -71,10 +73,6 @@ case $key in CLICKHOUSE=true shift ;; - --keep) - KEEP=true - shift - ;; --coverage) COVERAGE=true shift @@ -112,14 +110,29 @@ if [ "$MODE" == "release" ] && [ -z "$IMG_TAG" ]; then exit 1 fi -if [ "$MODE" == "release" ] && $VERBOSE_LOG; then +if [ "$MODE" != "dev" ] && $VERBOSE_LOG; then echoerr "--verbose-log works only with 'dev' mode" print_help exit 1 fi +if $COVERAGE && $VERBOSE_LOG; then + echoerr "--coverage has enabled verbose log" + VERBOSE_LOG=false +fi + THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +source $THIS_DIR/verify-helm.sh + +if [ -z "$HELM" ]; then + HELM="$(verify_helm)" +elif ! $HELM version > /dev/null 2>&1; then + echoerr "$HELM does not appear to be a valid helm binary" + print_help + exit 1 +fi + source $THIS_DIR/verify-kustomize.sh if [ -z "$KUSTOMIZE" ]; then @@ -130,76 +143,63 @@ elif ! $KUSTOMIZE version > /dev/null 2>&1; then exit 1 fi -KUSTOMIZATION_DIR=$THIS_DIR/../build/yamls/flow-aggregator - -TMP_DIR=$(mktemp -d $KUSTOMIZATION_DIR/overlays.XXXXXXXX) +HELM_VALUES=() -pushd $TMP_DIR > /dev/null - -BASE=../../base - -# do all ConfigMap edits -mkdir configMap && cd configMap -# user is not expected to make changes directly to flow-aggregator.conf, -# but instead to the generated YAML manifest, so our regexs need not be too robust. -cp $KUSTOMIZATION_DIR/base/conf/flow-aggregator.conf flow-aggregator.conf if [[ $FLOW_COLLECTOR != "" ]]; then - perl -i -p0e 's/ # Enable is the switch to enable exporting flow records to external flow collector.\n #enable: false/ # Enable is the switch to enable exporting flow records to external flow collector.\n enable: true/' flow-aggregator.conf - sed -i.bak -E "s/^[[:space:]]*#[[:space:]]*address[[:space:]]*:[[:space:]]\"\"+[[:space:]]*$/ address: \"$FLOW_COLLECTOR\"/" flow-aggregator.conf + HELM_VALUES+=("flowCollector.enable=true,flowCollector.address=$FLOW_COLLECTOR") fi if $CLICKHOUSE; then - perl -i -p0e 's/ # Enable is the switch to enable exporting flow records to ClickHouse.\n #enable: false/ # Enable is the switch to enable exporting flow records to ClickHouse.\n enable: true/' flow-aggregator.conf + HELM_VALUES+=("clickhouse.enable=true") fi -# unfortunately 'kustomize edit add configmap' does not support specifying 'merge' as the behavior, -# which is why we use a template kustomization file. -sed -e "s//flow-aggregator.conf/" ../../patches/kustomization.configMap.tpl.yml > kustomization.yml -$KUSTOMIZE edit add base $BASE -BASE=../configMap -cd .. - if $COVERAGE; then - mkdir coverage && cd coverage - cp $KUSTOMIZATION_DIR/patches/coverage/*.yml . - touch kustomization.yml - $KUSTOMIZE edit add base $BASE - # this runs flow-aggregator via the instrumented binary. - $KUSTOMIZE edit add patch --path startFlowAggCov.yml - BASE=../coverage - cd .. -fi - -mkdir $MODE && cd $MODE -touch kustomization.yml -$KUSTOMIZE edit add base $BASE -# ../../patches/$MODE may be empty so we use find and not simply cp -find ../../patches/$MODE -name \*.yml -exec cp {} . \; + HELM_VALUES+=("testing.coverage=true") +fi if [ "$MODE" == "dev" ]; then - if $COVERAGE; then - $KUSTOMIZE edit set image flow-aggregator=antrea/flow-aggregator-coverage:latest + if [[ -z "$IMG_NAME" ]]; then + if $COVERAGE; then + HELM_VALUES+=("image.repository=antrea/flow-aggregator-coverage") + fi else - $KUSTOMIZE edit set image flow-aggregator=projects.registry.vmware.com/antrea/flow-aggregator:latest + HELM_VALUES+=("image.repository=$IMG_NAME") fi - $KUSTOMIZE edit add patch --path imagePullPolicy.yml - if $VERBOSE_LOG; then - $KUSTOMIZE edit add patch --path flowAggregatorVerboseLog.yml + HELM_VALUES+=("logVerbosity=4") fi fi if [ "$MODE" == "release" ]; then - $KUSTOMIZE edit set image flow-aggregator=$IMG_NAME:$IMG_TAG + HELM_VALUES+=("image.repository=$IMG_NAME,image.tag=$IMG_TAG") fi -$KUSTOMIZE build +delim="" +HELM_VALUES_OPTION="" +for v in "${HELM_VALUES[@]}"; do + HELM_VALUES_OPTION="$HELM_VALUES_OPTION$delim$v" + delim="," +done +if [ "$HELM_VALUES_OPTION" != "" ]; then + HELM_VALUES_OPTION="--set $HELM_VALUES_OPTION" +fi -popd > /dev/null +ANTREA_CHART=$THIS_DIR/../build/charts/flow-aggregator +KUSTOMIZATION_DIR=$THIS_DIR/../build/yamls/flow-aggregator +# intermediate manifest +MANIFEST=$KUSTOMIZATION_DIR/base/manifest.yaml +# Suppress potential Helm warnings about invalid permissions for Kubeconfig file +# by throwing away related warnings. +$HELM template \ + --namespace flow-aggregator \ + $HELM_VALUES_OPTION \ + "$ANTREA_CHART"\ + 2> >(grep -v 'This is insecure' >&2)\ + > $MANIFEST + +# Add flow-aggregator Namespace resource with Kustomize +cd $KUSTOMIZATION_DIR/base +$KUSTOMIZE build -if $KEEP; then - echoerr "Kustomization file is at $TMP_DIR/$MODE/kustomization.yml" -else - rm -rf $TMP_DIR -fi +rm -rf $MANIFEST diff --git a/hack/release/prepare-assets.sh b/hack/release/prepare-assets.sh index 91480e4facb..c18c1710b3b 100755 --- a/hack/release/prepare-assets.sh +++ b/hack/release/prepare-assets.sh @@ -95,6 +95,6 @@ cd - # Package the Antrea chart # We need to strip the leading "v" from the version string to ensure that we use # a valid SemVer 2 version. -VERSION=${VERSION:1} ./hack/generate-helm-release.sh --out "$OUTPUT_DIR/antrea-chart.tgz" +VERSION=${VERSION:1} ./hack/generate-helm-release.sh --out "$OUTPUT_DIR" ls "$OUTPUT_DIR" | cat