Evolve AntreaProxy with framework and feature updates

This commit brings AntreaProxy:

- Add `serviceProxyHealthy` field to Service health check response in AntreaProxy.
- Add healthz server serving on port 10352 to AntreaProxy, which is a replacement
  of kube-proxy health server serving on 10256.
- Add support of feature gate PreferSameTrafficDistribution in AntreaProxy. Refer
  to this https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/3015-prefer-same-node.
- Remove Endpoints API support in AntreaProxy.
- Align the code `third_party/proxy` with K8s 1.33.1.

Signed-off-by: Hongliang Liu <[email protected]>

Author: hongliangl

build/charts/Makefile

@@ -6,7 +6,10 @@ VERSION := $(shell head -n 1 ../../VERSION | cut -c 2-)
 .PHONY: helm-docs
 helm-docs:
 	docker run --rm --volume "$(CURDIR):/helm-docs" --user=$(USERID):$(GRPID) jnorwood/helm-docs:v1.14.2
-	sed -i.bak "s/0\.0\.0/$(VERSION)/g" antrea/README.md # replace version placeholder
+	sed -i.bak "s/0.0.0.0:10352/placeholder/g" antrea/README.md # avoid "0.0.0" is replaced by $VERSION
+	sed -i.bak "s/0.0.0/$(VERSION)/g" antrea/README.md # replace version placeholder
+	sed -i.bak "s/placeholder/0.0.0.0:10352/g" antrea/README.md
 	sed -i.bak "s/-dev-informational/--dev-informational/g" antrea/README.md # fix img.shields.io badge URLs
-	sed -i.bak "s/0\.0\.0/$(VERSION)/g" flow-aggregator/README.md # replace version placeholder
-	sed -i.bak "s/-dev-informational/--dev-informational/g" flow-aggregator/README.md # fix img.shields.io badge URLs
+	sed -i.bak "s/0.0.0/$(VERSION)/g" flow-aggregator/README.md # replace version placeholder
+	sed -i.bak "s/0.0.0/$(VERSION)/g" antrea-windows/README.md # replace version placeholder
+	sed -i.bak "s/-dev-informational/--dev-informational/g" flow-aggregator/README.md # fix img.shields.io badge URLs

build/charts/antrea-windows/README.md

@@ -1,6 +1,6 @@
 # antrea-windows
 
-![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 2.5.0-dev](https://img.shields.io/badge/Version-2.5.0-dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 Kubernetes networking based on Open vSwitch for Windows Nodes
 

build/charts/antrea/README.md

@@ -61,6 +61,7 @@ Kubernetes: `>= 1.19.0-0`
 | antreaProxy.nodePortAddresses | list | `[]` | String array of values which specifies the host IPv4/IPv6 addresses for NodePort. By default, all host addresses are used. |
 | antreaProxy.proxyAll | bool | `false` | Proxy all Service traffic, for all Service types, regardless of where it comes from. |
 | antreaProxy.proxyLoadBalancerIPs | bool | `true` | When set to false, AntreaProxy no longer load-balances traffic destined to the External IPs of LoadBalancer Services. |
+| antreaProxy.serviceHealthCheckServerBindAddress | string | `""` | The value of the IP address and the port that the AntreaProxy health server binds to. If it is not specified, it will be automatically set to "0.0.0.0:10352" for IPv4-only clusters, or "[::]:10352" for IPv6-only and dual-stack clusters. Note that "[::]:10352" may act as either IPv6-only or dual-stack depending on the system setting of IPV6_V6ONLY (sysctl: net.ipv6.bindv6only). |
 | antreaProxy.serviceProxyName | string | `""` | The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set, then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set, then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label, but ignore Services with the label no matter what is the value. |
 | antreaProxy.skipServices | list | `[]` | List of Services which should be ignored by AntreaProxy. |
 | auditLogging.compress | bool | `true` | Compress enables gzip compression on rotated files. |

build/charts/antrea/conf/antrea-agent.conf

@@ -6,6 +6,10 @@ featureGates:
 # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AllBeta" "default" false) }}
 
+# Enable PreferSameTrafficDistribution in AntreaProxy, allowing usage of the values PreferSameZone and PreferSameNode in
+# the Service trafficDistribution field.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "PreferSameTrafficDistribution" "default" false) }}
+
 # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
 # be enabled, otherwise this flag will not take effect.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "CleanupStaleUDPSvcConntrack" "default" true) }}
@@ -425,6 +429,12 @@ antreaProxy:
   # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
   # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
   disableServiceHealthCheckServer: {{ .disableServiceHealthCheckServer }}
+  # The value of the IP address and the port that the AntreaProxy health server binds to. If it is not specified,
+  # it will be automatically set to "0.0.0.0:10352" for IPv4-only clusters, or "[::]10352" for IPv6-only and dual-stack
+  # clusters. Note that "[::]10352" may act as either IPv6-only or dual-stack depending on the system setting of
+  # IPV6_V6ONLY (sysctl: net.ipv6.bindv6only).
+  serviceHealthCheckServerBindAddress: {{ .serviceHealthCheckServerBindAddress | quote }}
+
 {{- end }}
 
 # IPsec tunnel related configurations.

build/charts/antrea/values.yaml

@@ -165,6 +165,11 @@ antreaProxy:
   # and Antrea proxy, with both trying to bind to the same addresses, when proxyAll
   # is enabled while kube-proxy has not been removed.
   disableServiceHealthCheckServer: false
+  # -- The value of the IP address and the port that the AntreaProxy health server binds to. If it is not specified,
+  # it will be automatically set to "0.0.0.0:10352" for IPv4-only clusters, or "[::]:10352" for IPv6-only and dual-stack
+  # clusters. Note that "[::]:10352" may act as either IPv6-only or dual-stack depending on the system setting of
+  # IPV6_V6ONLY (sysctl: net.ipv6.bindv6only).
+  serviceHealthCheckServerBindAddress: ""
 
 nodeIPAM:
   # -- Enable Node IPAM in Antrea

build/charts/flow-aggregator/README.md

@@ -77,7 +77,7 @@ Kubernetes: `>= 1.19.0-0`
 | s3Uploader.bucketPrefix | string | `""` | BucketPrefix is the prefix ("folder") under which flow records will be uploaded. |
 | s3Uploader.compress | bool | `true` | Compress enables gzip compression when uploading files to S3. |
 | s3Uploader.enable | bool | `false` | Determine whether to enable exporting flow records to AWS S3. |
-| s3Uploader.maxRecordsPerFile | int | `1000000` | MaxRecordsPerFile is the maximum number of records per file uploaded. It is not recommended to change this value. |
+| s3Uploader.maxRecordsPerFile | int | `12.5.0-dev0` | MaxRecordsPerFile is the maximum number of records per file uploaded. It is not recommended to change this value. |
 | s3Uploader.recordFormat | string | `"CSV"` | RecordFormat defines the format of the flow records uploaded to S3. Only "CSV" is supported at the moment. |
 | s3Uploader.region | string | `"us-west-2"` | Region is used as a "hint" to get the region in which the provided bucket is located. An error will occur if the bucket does not exist in the AWS partition the region hint belongs to. |
 | s3Uploader.uploadInterval | string | `"60s"` | UploadInterval is the duration between each file upload to S3. |

build/yamls/antrea-aks.yml

@@ -4139,6 +4139,10 @@ data:
     # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
     #  AllBeta: false
 
+    # Enable PreferSameTrafficDistribution in AntreaProxy, allowing usage of the values PreferSameZone and PreferSameNode in
+    # the Service trafficDistribution field.
+    #  PreferSameTrafficDistribution: false
+
     # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
     # be enabled, otherwise this flag will not take effect.
     #  CleanupStaleUDPSvcConntrack: true
@@ -4524,6 +4528,11 @@ data:
       # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
       # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
       disableServiceHealthCheckServer: false
+      # The value of the IP address and the port that the AntreaProxy health server binds to. If it is not specified,
+      # it will be automatically set to "0.0.0.0:10352" for IPv4-only clusters, or "[::]10352" for IPv6-only and dual-stack
+      # clusters. Note that "[::]10352" may act as either IPv6-only or dual-stack depending on the system setting of
+      # IPV6_V6ONLY (sysctl: net.ipv6.bindv6only).
+      serviceHealthCheckServerBindAddress: ""
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -5623,7 +5632,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 57f02660c27175cf8cec0d665db7e91883d3d241ade3ed77d710ee98f5e3fe40
+        checksum/config: 94b6588150d359aaea00c29a571d77cdc57e99dcaf1da34ddb0e6f21b866bf2f
       labels:
         app: antrea
         component: antrea-agent
@@ -5871,7 +5880,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 57f02660c27175cf8cec0d665db7e91883d3d241ade3ed77d710ee98f5e3fe40
+        checksum/config: 94b6588150d359aaea00c29a571d77cdc57e99dcaf1da34ddb0e6f21b866bf2f
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -4135,6 +4135,10 @@ data:
     # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
     #  AllBeta: false
 
+    # Enable PreferSameTrafficDistribution in AntreaProxy, allowing usage of the values PreferSameZone and PreferSameNode in
+    # the Service trafficDistribution field.
+    #  PreferSameTrafficDistribution: false
+
     # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
     # be enabled, otherwise this flag will not take effect.
     #  CleanupStaleUDPSvcConntrack: true
@@ -4520,6 +4524,11 @@ data:
       # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
       # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
       disableServiceHealthCheckServer: false
+      # The value of the IP address and the port that the AntreaProxy health server binds to. If it is not specified,
+      # it will be automatically set to "0.0.0.0:10352" for IPv4-only clusters, or "[::]10352" for IPv6-only and dual-stack
+      # clusters. Note that "[::]10352" may act as either IPv6-only or dual-stack depending on the system setting of
+      # IPV6_V6ONLY (sysctl: net.ipv6.bindv6only).
+      serviceHealthCheckServerBindAddress: ""
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -5619,7 +5628,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 57f02660c27175cf8cec0d665db7e91883d3d241ade3ed77d710ee98f5e3fe40
+        checksum/config: 94b6588150d359aaea00c29a571d77cdc57e99dcaf1da34ddb0e6f21b866bf2f
       labels:
         app: antrea
         component: antrea-agent
@@ -5868,7 +5877,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 57f02660c27175cf8cec0d665db7e91883d3d241ade3ed77d710ee98f5e3fe40
+        checksum/config: 94b6588150d359aaea00c29a571d77cdc57e99dcaf1da34ddb0e6f21b866bf2f
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -4135,6 +4135,10 @@ data:
     # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
     #  AllBeta: false
 
+    # Enable PreferSameTrafficDistribution in AntreaProxy, allowing usage of the values PreferSameZone and PreferSameNode in
+    # the Service trafficDistribution field.
+    #  PreferSameTrafficDistribution: false
+
     # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
     # be enabled, otherwise this flag will not take effect.
     #  CleanupStaleUDPSvcConntrack: true
@@ -4520,6 +4524,11 @@ data:
       # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
       # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
       disableServiceHealthCheckServer: false
+      # The value of the IP address and the port that the AntreaProxy health server binds to. If it is not specified,
+      # it will be automatically set to "0.0.0.0:10352" for IPv4-only clusters, or "[::]10352" for IPv6-only and dual-stack
+      # clusters. Note that "[::]10352" may act as either IPv6-only or dual-stack depending on the system setting of
+      # IPV6_V6ONLY (sysctl: net.ipv6.bindv6only).
+      serviceHealthCheckServerBindAddress: ""
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -5610,7 +5619,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: da05c6a135078734144b39bec8201adac80e58264879d2787f22c4c850d0400a
+        checksum/config: 98a70175f53cf47222530a3e5a9173fe143c9ec95daadd20cd1ba1a4239c6e47
       labels:
         app: antrea
         component: antrea-agent
@@ -5856,7 +5865,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: da05c6a135078734144b39bec8201adac80e58264879d2787f22c4c850d0400a
+        checksum/config: 98a70175f53cf47222530a3e5a9173fe143c9ec95daadd20cd1ba1a4239c6e47
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -4148,6 +4148,10 @@ data:
     # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
     #  AllBeta: false
 
+    # Enable PreferSameTrafficDistribution in AntreaProxy, allowing usage of the values PreferSameZone and PreferSameNode in
+    # the Service trafficDistribution field.
+    #  PreferSameTrafficDistribution: false
+
     # Enable support for cleaning up stale UDP Service conntrack connections in AntreaProxy. This requires AntreaProxy to
     # be enabled, otherwise this flag will not take effect.
     #  CleanupStaleUDPSvcConntrack: true
@@ -4533,6 +4537,11 @@ data:
       # enabled. This avoids race conditions between kube-proxy and Antrea proxy, with both trying to
       # bind to the same addresses, when proxyAll is enabled while kube-proxy has not been removed.
       disableServiceHealthCheckServer: false
+      # The value of the IP address and the port that the AntreaProxy health server binds to. If it is not specified,
+      # it will be automatically set to "0.0.0.0:10352" for IPv4-only clusters, or "[::]10352" for IPv6-only and dual-stack
+      # clusters. Note that "[::]10352" may act as either IPv6-only or dual-stack depending on the system setting of
+      # IPV6_V6ONLY (sysctl: net.ipv6.bindv6only).
+      serviceHealthCheckServerBindAddress: ""
 
     # IPsec tunnel related configurations.
     ipsec:
@@ -5623,7 +5632,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a7959b53cad321c489dc702dfd46ca38cc648c22c35224cded1d3f5791d12313
+        checksum/config: 24994b82cfcb5a9cbf05108b5bb2d4376891d6b1c3b823ec1639604ad5982711
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -5915,7 +5924,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: a7959b53cad321c489dc702dfd46ca38cc648c22c35224cded1d3f5791d12313
+        checksum/config: 24994b82cfcb5a9cbf05108b5bb2d4376891d6b1c3b823ec1639604ad5982711
       labels:
         app: antrea
         component: antrea-controller