[#7231] Add support for multi flow exporter targets via CRDs.

This change uses the `FlowExporterDestination` CRD to determine which
Flow Aggregator to send flows to. The logic for polling inside the
ConntrackConnectionStore is pulled out and the connections are forwarded
to the different "destinations". The destinations if using gRPC or TLS
with IPFIX will no longer translate the <namespace>/<service>:<port> into
the dns address. It is the responsibility of whoever creates the resource
to properly set the server name. For the static destination it will be
populated automatically.

Additionally, a static destination will be created based on the Antrea
Agent ConfigMap. The `flowExporter.enable` key in the Antrea Agent config
is used to turn on/off the static destination. From the config, only the
`pollInterval` and `staleConnectionTimeout` are shared between all the
destinations.

Signed-off-by: Andrew Su <[email protected]>

Author: andrew-su

build/charts/antrea/README.md

@@ -99,7 +99,7 @@ Kubernetes: `>= 1.23.0-0`
 | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
 | featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. |
 | flowExporter.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
-| flowExporter.enable | bool | `false` | Enable the flow exporter feature. |
+| flowExporter.enable | bool | `false` | Enable the static flow exporter. |
 | flowExporter.flowCollectorAddr | string | `"flow-aggregator/flow-aggregator:14739:grpc"` | IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>]. If the collector is running in-cluster as a Service, set <HOST> to <Service namespace>/<Service name>. |
 | flowExporter.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. |
 | flowExporter.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |

build/charts/antrea/conf/antrea-agent.conf

@@ -254,10 +254,10 @@ enablePrometheusMetrics: {{ .Values.agent.enablePrometheusMetrics }}
 
 flowExporter:
   {{- with .Values.flowExporter }}
-  # Enable FlowExporter, a feature used to export polled conntrack connections as
-  # IPFIX flow records from each agent to a configured collector. To enable this
-  # feature, you need to set "enable" to true, and ensure that the FlowExporter
-  # feature gate is also enabled.
+  # Enable a flow exporter destination with the configuration specified here.
+  # This can be disabled which means only `FlowExporterDestination` resources
+  # will be considered for exporting. The FlowExporter feature flag determines
+  # whether FlowExporter is enabled.
   enable: {{ .enable }}
   # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
   # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If

build/charts/antrea/values.yaml

@@ -422,7 +422,7 @@ controller:
         memory: "100Mi"
 
 flowExporter:
-  # -- Enable the flow exporter feature.
+  # -- Enable the static flow exporter.
   enable: false
   # -- IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
   # If the collector is running in-cluster as a Service, set <HOST> to

build/yamls/antrea-aks.yml

@@ -4455,10 +4455,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter feature flag determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5725,7 +5725,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 19cea71ebb0d852621308d71c5ee31a965d1fd7c0bc6a4c04bd09aa7ac2c1687
+        checksum/config: eed9d539ae0688b75c0c1c470ba33ef49ada415c7c6736d2bbf791100694b2f6
       labels:
         app: antrea
         component: antrea-agent
@@ -5973,7 +5973,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 19cea71ebb0d852621308d71c5ee31a965d1fd7c0bc6a4c04bd09aa7ac2c1687
+        checksum/config: eed9d539ae0688b75c0c1c470ba33ef49ada415c7c6736d2bbf791100694b2f6
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -4451,10 +4451,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter feature flag determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5721,7 +5721,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 19cea71ebb0d852621308d71c5ee31a965d1fd7c0bc6a4c04bd09aa7ac2c1687
+        checksum/config: eed9d539ae0688b75c0c1c470ba33ef49ada415c7c6736d2bbf791100694b2f6
       labels:
         app: antrea
         component: antrea-agent
@@ -5970,7 +5970,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 19cea71ebb0d852621308d71c5ee31a965d1fd7c0bc6a4c04bd09aa7ac2c1687
+        checksum/config: eed9d539ae0688b75c0c1c470ba33ef49ada415c7c6736d2bbf791100694b2f6
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -4451,10 +4451,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter feature flag determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5712,7 +5712,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 850a3f0b6a90ccc8380a7c5681a989b0d0204183d289c8d75fd76eab8cd1161a
+        checksum/config: 71cd66c19196855acf9ced6ce83d6ddf99250fa270d934364cfd3772ecfc7fb4
       labels:
         app: antrea
         component: antrea-agent
@@ -5958,7 +5958,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 850a3f0b6a90ccc8380a7c5681a989b0d0204183d289c8d75fd76eab8cd1161a
+        checksum/config: 71cd66c19196855acf9ced6ce83d6ddf99250fa270d934364cfd3772ecfc7fb4
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -4464,10 +4464,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter feature flag determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5725,7 +5725,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: bd3bfe0a3cf17f563005ab065f7a981e07285271165795d9f1ab81bb9c0dc1e3
+        checksum/config: 1c72cbaf56a90e604a9cd0f4e2f3a60056bf33266d5743f028b92a3f3d6cfb06
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -6017,7 +6017,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: bd3bfe0a3cf17f563005ab065f7a981e07285271165795d9f1ab81bb9c0dc1e3
+        checksum/config: 1c72cbaf56a90e604a9cd0f4e2f3a60056bf33266d5743f028b92a3f3d6cfb06
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -4451,10 +4451,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter feature flag determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5712,7 +5712,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ce43af869242f2d5f0787dd0b9643a42f005e0426c4bfd7e3f38abda8b7718bc
+        checksum/config: 3dc3c5d6a6f96bb9c892fe7ee131eccf08bf4bcd5a785a80c1277aa661890492
       labels:
         app: antrea
         component: antrea-agent
@@ -5958,7 +5958,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ce43af869242f2d5f0787dd0b9643a42f005e0426c4bfd7e3f38abda8b7718bc
+        checksum/config: 3dc3c5d6a6f96bb9c892fe7ee131eccf08bf4bcd5a785a80c1277aa661890492
       labels:
         app: antrea
         component: antrea-controller

ci/kind/test-e2e-kind.sh

@@ -64,6 +64,18 @@ FLOWAGGREGATOR_YML_CMD="$THIS_DIR/../../hack/generate-manifest-flow-aggregator.s
 FLOW_VISIBILITY_HELM_VALUES="$THIS_DIR/values-flow-exporter.yml"
 CH_OPERATOR_YML="$THIS_DIR/../../build/yamls/clickhouse-operator-install-bundle.yml"
 FLOW_VISIBILITY_CHART="$THIS_DIR/../../test/e2e/charts/flow-visibility"
+KUSTOMIZATION_DIR="$THIS_DIR/../../test/e2e/kustomize"
+
+if [ -z "$KUSTOMIZE" ]; then
+    KUSTOMIZE=$(
+      source $THIS_DIR/../../hack/verify-kustomize.sh
+      verify_kustomize
+    )
+elif ! $KUSTOMIZE version > /dev/null 2>&1; then
+    echoerr "$KUSTOMIZE does not appear to be a valid kustomize binary"
+    print_help
+    exit 1
+fi
 
 function quit {
   result=$?
@@ -419,23 +431,30 @@ function run_test {
 
   if $flow_visibility; then
       timeout="45m"
-      flow_visibility_args="-run=TestFlowAggregator --flow-visibility"
+      flow_visibility_args="-run=^(TestFlowExporter|TestFlowAggregator) --flow-visibility"
       # This is needed so that the FlowAggregator is already configured to mount the Secrets
       # necessary for (m)TLS testing. The Secret names must match the ones expected by the e2e tests.
-      flow_visibility_manifest_args="--extra-helm-values flowCollector.tls.clientSecretName=ipfix-client-cert,flowCollector.tls.caSecretName=ipfix-server-ca"
+      coverage_flag=""
       if $coverage; then
-          $FLOWAGGREGATOR_YML_CMD --coverage $flow_visibility_manifest_args | docker exec -i kind-control-plane dd of=/root/flow-aggregator-coverage.yml
-      else
-          $FLOWAGGREGATOR_YML_CMD $flow_visibility_manifest_args | docker exec -i kind-control-plane dd of=/root/flow-aggregator.yml
+        coverage_flag="--coverage"
       fi
+      flow_visibility_manifest_default_args=("--extra-helm-values" "flowCollector.tls.clientSecretName=ipfix-client-cert,flowCollector.tls.caSecretName=ipfix-server-ca")
+      $FLOWAGGREGATOR_YML_CMD "${flow_visibility_manifest_default_args[@]}" ${coverage_flag} | docker exec -i kind-control-plane dd of=/root/flow-aggregator.yml
+      $FLOWAGGREGATOR_YML_CMD --extra-helm-values "aggregatorTransportProtocol=tcp" ${coverage_flag} > "$KUSTOMIZATION_DIR"/multi-flow-aggregator/base/manifest.yaml
+      $KUSTOMIZE build "$KUSTOMIZATION_DIR"/multi-flow-aggregator/overlays/flow-aggregator-1 | docker exec -i kind-control-plane dd of=/root/flow-aggregator-1.yml
+      $KUSTOMIZE build "$KUSTOMIZATION_DIR"/multi-flow-aggregator/overlays/flow-aggregator-2 | docker exec -i kind-control-plane dd of=/root/flow-aggregator-2.yml
+      rm "$KUSTOMIZATION_DIR"/multi-flow-aggregator/base/manifest.yaml
+
       $HELM template "$FLOW_VISIBILITY_CHART"  | docker exec -i kind-control-plane dd of=/root/flow-visibility.yml
       $HELM template "$FLOW_VISIBILITY_CHART" --set "secureConnection.enable=true" | docker exec -i kind-control-plane dd of=/root/flow-visibility-tls.yml
 
-      curl -o $CH_OPERATOR_YML https://raw.githubusercontent.com/Altinity/clickhouse-operator/release-0.21.0/deploy/operator/clickhouse-operator-install-bundle.yaml
-      sed -i -e "s|\"image\": \"clickhouse/clickhouse-server:22.3\"|\"image\": \"antrea/clickhouse-server:23.4\"|g" $CH_OPERATOR_YML
-      sed -i -e "s|image: altinity/clickhouse-operator:0.21.0|image: antrea/clickhouse-operator:0.21.0|g" $CH_OPERATOR_YML
-      sed -i -e "s|image: altinity/metrics-exporter:0.21.0|image: antrea/metrics-exporter:0.21.0|g" $CH_OPERATOR_YML
-      cat $CH_OPERATOR_YML | docker exec -i kind-control-plane dd of=/root/clickhouse-operator-install-bundle.yml
+      curl -o "$CH_OPERATOR_YML" https://raw.githubusercontent.com/Altinity/clickhouse-operator/release-0.21.0/deploy/operator/clickhouse-operator-install-bundle.yaml
+      sed -i -e "s|\"image\": \"clickhouse/clickhouse-server:22.3\"|\"image\": \"antrea/clickhouse-server:23.4\"|g" "$CH_OPERATOR_YML"
+      sed -i -e "s|image: altinity/clickhouse-operator:0.21.0|image: antrea/clickhouse-operator:0.21.0|g" "$CH_OPERATOR_YML"
+      sed -i -e "s|image: altinity/metrics-exporter:0.21.0|image: antrea/metrics-exporter:0.21.0|g" "$CH_OPERATOR_YML"
+      cat "$CH_OPERATOR_YML" | docker exec -i kind-control-plane dd of=/root/clickhouse-operator-install-bundle.yml
+
+      printf '%s' "$flow_visibility_protocol" | docker exec -i kind-control-plane dd of=/root/test-flow-visibility-protocol.txt
   fi
 
   if [[ "$kube_proxy_mode" == "none" ]]; then

cmd/antrea-agent/agent.go

@@ -132,6 +132,7 @@ func run(o *Options) error {
 	endpointSliceInformer := informerFactory.Discovery().V1().EndpointSlices()
 	namespaceInformer := informerFactory.Core().V1().Namespaces()
 	nodeLatencyMonitorInformer := crdInformerFactory.Crd().V1alpha1().NodeLatencyMonitors()
+	flowExporterDestinationInformer := crdInformerFactory.Crd().V1alpha1().FlowExporterDestinations()
 
 	// Create Antrea Clientset for the given config.
 	antreaClientProvider, err := client.NewAntreaClientProvider(o.config.AntreaClientConnection, k8sClient)
@@ -160,7 +161,7 @@ func run(o *Options) error {
 	enableMulticlusterGW := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableGateway
 	_, multiclusterEncryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.Multicluster.TrafficEncryptionMode)
 	enableMulticlusterNP := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableStretchedNetworkPolicy
-	enableFlowExporter := features.DefaultFeatureGate.Enabled(features.FlowExporter) && o.config.FlowExporter.Enable
+	enableFlowExporter := features.DefaultFeatureGate.Enabled(features.FlowExporter)
 	var nodeIPTracker *nodeip.Tracker
 	if o.nodeType == config.K8sNode {
 		nodeIPTracker = nodeip.NewTracker(nodeInformer)
@@ -714,37 +715,39 @@ func run(o *Options) error {
 	if enableFlowExporter {
 		podStore = objectstore.NewPodStore(localPodInformer.Get())
 		flowExporterOptions := &flowexporteroptions.FlowExporterOptions{
-			FlowCollectorAddr:      o.flowCollectorAddr,
-			FlowCollectorProto:     o.flowCollectorProto,
-			ActiveFlowTimeout:      o.activeFlowTimeout,
-			IdleFlowTimeout:        o.idleFlowTimeout,
-			StaleConnectionTimeout: o.staleConnectionTimeout,
-			PollInterval:           o.pollInterval,
-			ConnectUplinkToBridge:  connectUplinkToBridge,
-			ProtocolFilter:         o.config.FlowExporter.ProtocolFilter,
+			EnableStaticDestination: o.config.FlowExporter.Enable,
+			FlowCollectorAddr:       o.flowCollectorAddr,
+			FlowCollectorProto:      o.flowCollectorProto,
+			ActiveFlowTimeout:       o.activeFlowTimeout,
+			IdleFlowTimeout:         o.idleFlowTimeout,
+			StaleConnectionTimeout:  o.staleConnectionTimeout,
+			PollInterval:            o.pollInterval,
+			ConnectUplinkToBridge:   connectUplinkToBridge,
+			ProtocolFilter:          o.config.FlowExporter.ProtocolFilter,
 		}
 		flowExporter, err = flowexporter.NewFlowExporter(
-			podStore,
-			proxyQuerier,
 			k8sClient,
+			flowExporterDestinationInformer,
+			nodeConfig,
 			nodeRouteController,
+			podStore,
+			proxyQuerier,
+			egressController,
+			networkPolicyController,
+			podNetworkWait,
 			networkConfig.TrafficEncapMode,
-			nodeConfig,
 			v4Enabled,
 			v6Enabled,
 			serviceCIDRNet,
 			serviceCIDRNetv6,
 			ovsDatapathType,
 			o.enableAntreaProxy,
-			networkPolicyController,
 			flowExporterOptions,
-			egressController,
-			podNetworkWait,
 		)
 		if err != nil {
 			return fmt.Errorf("error when creating IPFIX flow exporter: %v", err)
 		}
-		networkPolicyController.SetDenyConnStore(flowExporter.GetDenyConnStore())
+		networkPolicyController.SetPublisher(flowExporter.GetDenyConnPublisher())
 	}
 
 	log.StartLogFileNumberMonitor(stopCh)