Add a Helm Chart for Flow Aggregator

.github/workflows/upload_release_assets.yml

@@ -263,3 +263,12 @@ jobs:
         asset_path: ./assets/antrea-chart.tgz
         asset_name: antrea-chart.tgz
         asset_content_type: application/octet-stream
+    - name: Upload Flow Aggregator Helm chart archive
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ github.event.release.upload_url }}
+        asset_path: ./assets/flow-aggregator-chart.tgz
+        asset_name: flow-aggregator-chart.tgz
+        asset_content_type: application/octet-stream

.gitignore

@@ -12,6 +12,9 @@ bin
 # Emacs
 *~
 
+# Common backup files
+*.bak
+
 .idea/
 .vscode/
 vendor

build/charts/Makefile

@@ -8,3 +8,5 @@ helm-docs:
 	docker run --rm --volume "$(CURDIR):/helm-docs" --user=$(USERID):$(GRPID) jnorwood/helm-docs:v1.7.0
 	sed -i.bak "s/0.0.0/$(VERSION)/g" antrea/README.md # replace version placeholder
 	sed -i.bak "s/-dev-informational/--dev-informational/g" antrea/README.md # fix img.shields.io badge URLs
+	sed -i.bak "s/0.0.0/$(VERSION)/g" flow-aggregator/README.md # replace version placeholder
+	sed -i.bak "s/-dev-informational/--dev-informational/g" flow-aggregator/README.md # fix img.shields.io badge URLs

build/charts/flow-aggregator/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

build/charts/flow-aggregator/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: flow-aggregator
+type: application
+displayName: Antrea Flow Aggregator
+home: https://antrea.io/
+version: 0.0.0
+appVersion: 0.0.0
+kubeVersion: ">= 1.16.0-0"
+icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg
+description: Antrea Flow Aggregator
+keywords:
+  - Kubernetes
+  - CNCF
+  - Networking
+  - CNI
+  - Security
+  - Open vSwitch
+  - OVS
+  - Antrea
+  - Observability
+  - Flow Visibility
+  - Flow Aggregator
+sources:
+  - https://github.com/antrea-io/antrea

build/charts/flow-aggregator/README.md

@@ -0,0 +1,44 @@
+# flow-aggregator
+
+![Version: 1.7.0-dev](https://img.shields.io/badge/Version-1.7.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0-dev](https://img.shields.io/badge/AppVersion-1.7.0--dev-informational?style=flat-square)
+
+Antrea Flow Aggregator
+
+**Homepage:** <https://antrea.io/>
+
+## Source Code
+
+* <https://github.com/antrea-io/antrea>
+
+## Requirements
+
+Kubernetes: `>= 1.16.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| activeFlowRecordTimeout | string | `"60s"` | Provide the active flow record timeout as a duration string. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
+| aggregatorTransportProtocol | string | `"tls"` | Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp. |
+| apiServer.apiPort | int | `10348` | The port for the Flow Aggregator APIServer to serve on. |
+| apiServer.tlsCipherSuites | string | `""` | Comma-separated list of cipher suites that will be used by the Flow Aggregator APIservers. If empty, the default Go Cipher Suites will be used. |
+| apiServer.tlsMinVersion | string | `""` | TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. |
+| clickHouse.commitInterval | string | `"8s"` | CommitInterval is the periodical interval between batch commit of flow records to DB. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
+| clickHouse.compress | bool | `true` | Compress enables lz4 compression when committing flow records. |
+| clickHouse.connectionSecret | object | `{"password":"clickhouse_operator_password","username":"clickhouse_operator"}` | Credentials to connect to ClickHouse. They will be stored in a Secret. |
+| clickHouse.databaseURL | string | `"tcp://clickhouse-clickhouse.flow-visibility.svc:9000"` |  |
+| clickHouse.debug | bool | `false` | Debug enables debug logs from ClickHouse sql driver. |
+| clickHouse.enable | bool | `false` | Determine whether to enable exporting flow records to ClickHouse. |
+| flowAggregatorAddress | string | `"flow-aggregator.flow-aggregator.svc"` | Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match the flowCollectorAddr parameter in the antrea-agent config. |
+| flowCollector.address | string | `""` | Provide the flow collector address as string with format <IP>:<port>[:<proto>],  where proto is tcp or udp. If no L4 transport proto is given, we consider tcp as default. |
+| flowCollector.enable | bool | `false` | Determine whether to enable exporting flow records to external flow collector. |
+| flowCollector.observationDomainID | string | `""` | Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated from the persistent cluster UUID generated by Antrea. |
+| flowCollector.recordFormat | string | `"IPFIX"` | Provide format for records sent to the configured flow collector. Supported formats are IPFIX and JSON. |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"projects.registry.vmware.com/antrea/flow-aggregator","tag":"latest"}` | Container image used by Flow Aggregator. |
+| inactiveFlowRecordTimeout | string | `"90s"` | Provide the inactive flow record timeout as a duration string. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". |
+| logVerbosity | int | `0` |  |
+| recordContents.podLabels | bool | `false` | Determine whether source and destination Pod labels will be included in the flow records. |
+| testing.coverage | bool | `false` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.7.0](https://github.com/norwoodj/helm-docs/releases/v1.7.0)

build/yamls/flow-aggregator/base/conf/flow-aggregator.conf → build/charts/flow-aggregator/conf/flow-aggregator.conf

@@ -4,81 +4,85 @@
 # will be exported to the collector once the elapsed time since the last export
 # event in the flow aggregator is equal to the value of this timeout.
 # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-#activeFlowRecordTimeout: 60s
+activeFlowRecordTimeout: {{ .Values.activeFlowRecordTimeout }}
 
 # Provide the inactive flow record timeout as a duration string. This determines
 # how often the flow aggregator exports the inactive flow records to the flow
 # collector. A flow record is considered to be inactive if no matching record
 # has been received by the flow aggregator in the specified interval.
 # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-#inactiveFlowRecordTimeout: 90s
+inactiveFlowRecordTimeout: {{ .Values.inactiveFlowRecordTimeout }}
 
 # Provide the transport protocol for the flow aggregator collecting process, which is tls, tcp or udp.
-#aggregatorTransportProtocol: "tls"
+aggregatorTransportProtocol: {{ .Values.aggregatorTransportProtocol | quote }}
 
 # Provide DNS name or IP address of flow aggregator for generating TLS certificate. It must match
 # the flowCollectorAddr parameter in the antrea-agent config.
-#flowAggregatorAddress: "flow-aggregator.flow-aggregator.svc"
+flowAggregatorAddress: {{ .Values.flowAggregatorAddress | quote }}
 
 # recordContents enables configuring some fields in the flow records. Fields can
 # be excluded to reduce record size, but some features or external tooling may
 # depend on these fields.
 recordContents:
   # Determine whether source and destination Pod labels will be included in the flow records.
-  #podLabels: false
+  podLabels: {{ .Values.recordContents.podLabels }}
 
 # apiServer contains APIServer related configuration options.
 apiServer:
   # The port for the flow-aggregator APIServer to serve on.
-  #apiPort: 10348
+  apiPort: {{ .Values.apiServer.apiPort }}
 
   # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
   # https://golang.org/pkg/crypto/tls/#pkg-constants
   # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
   # prefer TLS1.3 Cipher Suites whenever possible.
-  #tlsCipherSuites:
+  tlsCipherSuites: {{ .Values.apiServer.tlsCipherSuites | quote }}
 
   # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
-  #tlsMinVersion:
+  tlsMinVersion: {{ .Values.apiServer.tlsMinVersion | quote }}
 
 # flowCollector contains external IPFIX or JSON collector related configuration options.
 flowCollector:
   # Enable is the switch to enable exporting flow records to external flow collector.
-  #enable: false
+  enable: {{ .Values.flowCollector.enable }}
 
   # Provide the flow collector address as string with format <IP>:<port>[:<proto>], where proto is tcp or udp.
   # If no L4 transport proto is given, we consider tcp as default.
-  #address: ""
+  address: {{ .Values.flowCollector.address | quote }}
 
   # Provide the 32-bit Observation Domain ID which will uniquely identify this instance of the flow
   # aggregator to an external flow collector. If omitted, an Observation Domain ID will be generated
   # from the persistent cluster UUID generated by Antrea. Failing that (e.g. because the cluster UUID
   # is not available), a value will be randomly generated, which may vary across restarts of the flow
   # aggregator.
+  {{- if .Values.flowCollector.observationDomainID }}
+  observationDomainID: {{ .Values.flowCollector.observationDomainID }}
+  {{- else }}
   #observationDomainID:
+  {{- end }}
 
   # Provide format for records sent to the configured flow collector.
   # Supported formats are IPFIX and JSON.
-  #recordFormat: "IPFIX"
+  recordFormat: {{ .Values.flowCollector.recordFormat | quote }}
 
 # clickHouse contains ClickHouse related configuration options.
 clickHouse:
   # Enable is the switch to enable exporting flow records to ClickHouse.
-  #enable: false
+  enable: {{ .Values.clickHouse.enable }}
 
   # Database is the name of database where Antrea "flows" table is created.
-  #database: "default"
+  database: "default"
 
   # DatabaseURL is the url to the database. TCP protocol is required.
-  #databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000"
+  databaseURL: {{ .Values.clickHouse.databaseURL | quote }}
 
   # Debug enables debug logs from ClickHouse sql driver.
-  #debug: false
+  debug: {{ .Values.clickHouse.debug }}
 
   # Compress enables lz4 compression when committing flow records.
-  #compress: true
+  compress: {{ .Values.clickHouse.compress }}
 
   # CommitInterval is the periodical interval between batch commit of flow records to DB.
   # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
   # The minimum interval is 1s based on ClickHouse documentation for best performance.
-  #commitInterval: "8s"
+  commitInterval: {{ .Values.clickHouse.commitInterval | quote }}

build/charts/flow-aggregator/templates/NOTES.txt

@@ -0,0 +1,5 @@
+The Antrea Flow Aggregator has been successfully installed
+
+You are using version {{ .Chart.Version }}
+
+For the Antrea documentation, please visit https://antrea.io

build/charts/flow-aggregator/templates/clusterrole.yaml

@@ -0,0 +1,38 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-aggregator-role
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["flow-aggregator-ca"]
+    verbs: ["get", "update"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "list", "watch"]
+  # This is the content of built-in role kube-system/extension-apiserver-authentication-reader.
+  # But it doesn't have list/watch permission before K8s v1.17.0 so the extension apiserver (antrea-agent) will
+  # have permission issue after bumping up apiserver library to a version that supports dynamic authentication.
+  # See https://github.com/kubernetes/kubernetes/pull/85375
+  # To support K8s clusters older than v1.17.0, we grant the required permissions directly instead of relying on
+  # the extension-apiserver-authentication role.
+  - apiGroups: [""]
+    resourceNames: ["extension-apiserver-authentication"]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["flow-aggregator-client-tls"]
+    verbs: ["get", "update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    resourceNames: [ "flow-aggregator-configmap" ]
+    verbs: [ "update" ]

build/charts/flow-aggregator/templates/clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-aggregator-cluster-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: flow-aggregator
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: flow-aggregator-role
+  apiGroup: rbac.authorization.k8s.io

build/charts/flow-aggregator/templates/configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: flow-aggregator-configmap
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: flow-aggregator
+data:
+{{ tpl (.Files.Glob "conf/*").AsConfig . | indent 2 | replace "  \n" "\n" }}

build/charts/flow-aggregator/templates/deployment.yaml

@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-aggregator
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: flow-aggregator
+  template:
+    metadata:
+      labels:
+        app: flow-aggregator
+    spec:
+      containers:
+      - name: flow-aggregator
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        {{- if .Values.testing.coverage }}
+        command: [ "/bin/sh" ]
+        args: [ "-c", "flow-aggregator-coverage -test.run=TestBincoverRunMain -test.coverprofile=flow-aggregator.cov.out -args-file=/flow-aggregator-arg-file; while true; do sleep 5 & wait $!; done" ]
+        {{- else }}
+        args:
+        - --config
+        - /etc/flow-aggregator/flow-aggregator.conf
+        - --logtostderr=false
+        - --log_dir=/var/log/antrea/flow-aggregator
+        - --alsologtostderr
+        - --log_file_max_size=100
+        - --log_file_max_num=4
+        {{- if .Values.logVerbosity }}
+        - "--v={{ .Values.logVerbosity }}"
+        {{- end }}
+        {{- end }}
+        env:
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: CH_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: clickhouse-secret
+                key: username
+          - name: CH_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: clickhouse-secret
+                key: password
+          - name: FA_CONFIG_MAP_NAME
+            value: flow-aggregator-configmap
+        ports:
+          - containerPort: 4739
+        volumeMounts:
+        - mountPath: /etc/flow-aggregator
+          name: flow-aggregator-config
+          readOnly: true
+        - mountPath: /var/log/antrea/flow-aggregator
+          name: host-var-log-antrea-flow-aggregator
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/arch: amd64
+      serviceAccountName: flow-aggregator
+      volumes:
+      - name: flow-aggregator-config
+        configMap:
+          name: flow-aggregator-configmap
+      - name: host-var-log-antrea-flow-aggregator
+        hostPath:
+          path: /var/log/antrea/flow-aggregator
+          type: DirectoryOrCreate

build/charts/flow-aggregator/templates/id-reader-clusterrole.yaml

@@ -0,0 +1,14 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    app: flow-aggregator
+  name: flow-aggregator-cluster-id-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: antrea-cluster-identity-reader
+subjects:
+  - kind: ServiceAccount
+    name: flow-aggregator
+    namespace: {{ .Release.Namespace }}