Evolve AntreaProxy with framework and feature updates

This commit brings AntreaProxy:

- Add `serviceProxyHealthy` field to Service health check response in AntreaProxy.
- Add healthz server serving on port 10256 to AntreaProxy, which is a replacement
  of kube-proxy health server serving on 10256.
- Add support of feature gate PreferSameTrafficDistribution in AntreaProxy. Refer
  to this https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/3015-prefer-same-node.
- Remove Endpoints API support in AntreaProxy.
- Align the code `third_party/proxy` with K8s 1.33.1.

Signed-off-by: Hongliang Liu <[email protected]>

Author: hongliangl

build/charts/antrea/README.md

@@ -61,6 +61,7 @@ Kubernetes: `>= 1.23.0-0`
 | antreaProxy.nodePortAddresses | list | `[]` | String array of values which specifies the host IPv4/IPv6 addresses for NodePort. By default, all host addresses are used. |
 | antreaProxy.proxyAll | bool | `false` | Proxy all Service traffic, for all Service types, regardless of where it comes from. |
 | antreaProxy.proxyLoadBalancerIPs | bool | `true` | When set to false, AntreaProxy no longer load-balances traffic destined to the External IPs of LoadBalancer Services. |
+| antreaProxy.serviceHealthCheckServerBindAddress | string | `""` | The value of the IP address and the port on which AntreaProxy health server listens when proxyAll is enabled. This server is functionally equivalent to the one of kube-proxy. If it is not specified, it will be automatically set to "0.0.0.0:10256". |
 | antreaProxy.serviceProxyName | string | `""` | The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set, then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set, then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label, but ignore Services with the label no matter what is the value. |
 | antreaProxy.skipServices | list | `[]` | List of Services which should be ignored by AntreaProxy. |
 | auditLogging.compress | bool | `true` | Compress enables gzip compression on rotated files. |

build/charts/antrea/conf/antrea-agent.conf

@@ -6,6 +6,10 @@ featureGates:
 # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AllBeta" "default" false) }}
 
+# Enable PreferSameTrafficDistribution in AntreaProxy, allowing usage of the values PreferSameZone and PreferSameNode in
+# the Service trafficDistribution field.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "PreferSameTrafficDistribution" "default" false) }}
+
 # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
 # be enabled, otherwise this flag will not take effect.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "CleanupStaleUDPSvcConntrack" "default" true) }}
@@ -427,6 +431,11 @@ antreaProxy:
   # enabled. This avoids race conditions between kube-proxy and Antrea Proxy, with both trying to
   # bind to the same address, when proxyAll is enabled while kube-proxy has not been removed.
   disableServiceHealthCheckServer: {{ .disableServiceHealthCheckServer }}
+  # The value of the IP address and the port on which AntreaProxy health server listens when proxyAll is enabled. This
+  # server is functionally equivalent to the one of kube-proxy. If it is not specified, it will be automatically set
+  # to "0.0.0.0:10256".
+  serviceHealthCheckServerBindAddress: {{ .serviceHealthCheckServerBindAddress | quote }}
+
 {{- end }}
 
 # IPsec tunnel related configurations.

build/charts/antrea/values.yaml

@@ -165,6 +165,10 @@ antreaProxy:
   # and Antrea Proxy, with both trying to bind to the same address, when proxyAll
   # is enabled while kube-proxy has not been removed.
   disableServiceHealthCheckServer: false
+  # -- The value of the IP address and the port on which AntreaProxy health server listens when proxyAll is enabled. This
+  # server is functionally equivalent to the one of kube-proxy. If it is not specified, it will be automatically set
+  # to "0.0.0.0:10256".
+  serviceHealthCheckServerBindAddress: ""
 
 nodeIPAM:
   # -- Enable Node IPAM in Antrea

cmd/antrea-agent/agent.go

@@ -454,11 +454,6 @@ func run(o *Options) error {
 	var proxyServer *proxy.ProxyServer
 	if o.enableAntreaProxy {
 		proxyServer, err = proxy.NewProxyServer(nodeConfig.Name,
-			k8sClient,
-			serviceInformer,
-			endpointsInformer,
-			endpointSliceInformer,
-			nodeInformer,
 			ofClient,
 			routeClient,
 			nodeIPTracker,
@@ -474,6 +469,7 @@ func run(o *Options) error {
 		if err != nil {
 			return fmt.Errorf("error when creating proxyServer: %v", err)
 		}
+		proxyServer.Initialize(ctx, serviceInformer, endpointSliceInformer, nodeInformer)
 	}
 
 	// We pick a time interval for rule deletion in the async rule cache (part of the

cmd/antrea-agent/options.go

@@ -260,6 +260,19 @@ func (o *Options) validateAntreaProxyConfig(encapMode config.TrafficEncapModeTyp
 				return fmt.Errorf("invalid NodePort IP address `%s`: %w", nodePortAddress, err)
 			}
 		}
+
+		if addr := o.config.AntreaProxy.ServiceHealthCheckServerBindAddress; addr != "" {
+			hostStr, portStr, err := net.SplitHostPort(addr)
+			if err != nil {
+				return fmt.Errorf("invalid health server bind address %q: %v", addr, err)
+			}
+			if net.ParseIP(hostStr) == nil {
+				return fmt.Errorf("invalid IP address in health server bind address: %q", hostStr)
+			}
+			if err := validation.ValidatePortString(portStr); err != nil {
+				return fmt.Errorf("invalid port in health server bind address: %q: %v", portStr, err)
+			}
+		}
 	}
 
 	ok, defaultLoadBalancerMode := config.GetLoadBalancerModeFromStr(o.config.AntreaProxy.DefaultLoadBalancerMode)

cmd/antrea-agent/options_test.go

@@ -136,6 +136,28 @@ func TestOptionsValidateAntreaProxyConfig(t *testing.T) {
 			},
 			expectedErr: "LoadBalancerMode drs is unknown",
 		},
+		{
+			name:             "invalid IP in ServiceHealthCheckServerBindAddress",
+			trafficEncapMode: config.TrafficEncapModeEncap,
+			antreaProxyConfig: agentconfig.AntreaProxyConfig{
+				Enable:                              ptr.To(true),
+				DefaultLoadBalancerMode:             config.LoadBalancerModeNAT.String(),
+				ProxyAll:                            true,
+				ServiceHealthCheckServerBindAddress: "1.1.1.1.1:10256",
+			},
+			expectedErr: "invalid IP address in health server bind address: \"1.1.1.1.1\"",
+		},
+		{
+			name:             "invalid port in ServiceHealthCheckServerBindAddress",
+			trafficEncapMode: config.TrafficEncapModeEncap,
+			antreaProxyConfig: agentconfig.AntreaProxyConfig{
+				Enable:                              ptr.To(true),
+				DefaultLoadBalancerMode:             config.LoadBalancerModeNAT.String(),
+				ProxyAll:                            true,
+				ServiceHealthCheckServerBindAddress: "1.1.1.1:102561",
+			},
+			expectedErr: "invalid port in health server bind address: \"102561\": port 102561 is out of range, valid range is 1-65535",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {