L7 Visibility support in Antrea

Signed-off-by: Tushar Tathgur <tathgurt@tathgurtFLVDL.vmware.com>

build/charts/antrea/conf/antrea-agent.conf

@@ -73,6 +73,9 @@ featureGates:
 # into account application context.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "L7NetworkPolicy" "default" false) }}
 
+# Enable L7Visibility on Pods and Namespace.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "L7Visibility" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -173,7 +173,6 @@ rules:
     resources:
       - externalippools
       - ippools
-      - trafficcontrols
     verbs:
       - get
       - watch
@@ -219,3 +218,15 @@ rules:
     - get
     - list
     - watch
+  - apiGroups:
+      - crd.antrea.io
+    resources:
+      - trafficcontrols
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - patch
+      - create
+      - delete

build/charts/antrea/values.yaml

@@ -300,7 +300,7 @@ controller:
 
 flowExporter:
   # -- Enable the flow exporter feature.
-  enable: false
+  enable: true
   # -- IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
   # If the collector is running in-cluster as a Service, set <HOST> to
   # <Service namespace>/<Service name>.

build/charts/flow-aggregator/values.yaml

@@ -44,7 +44,7 @@ flowCollector:
 # clickHouse contains ClickHouse related configuration options.
 clickHouse:
   # -- Determine whether to enable exporting flow records to ClickHouse.
-  enable: false
+  enable: true
   # -- DatabaseURL is the url to the database. TCP protocol is required.
   databaseURL: "tcp://clickhouse-clickhouse.flow-visibility.svc:9000"
   # -- Debug enables debug logs from ClickHouse sql driver.

build/yamls/antrea-aks.yml

@@ -3165,7 +3165,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -4371,7 +4371,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65
+        checksum/config: 0d24b57f9f10487ac37067c795ca8149ea5e775935494afd77f0321b17f0ee3e
       labels:
         app: antrea
         component: antrea-agent
@@ -4612,7 +4612,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65
+        checksum/config: 0d24b57f9f10487ac37067c795ca8149ea5e775935494afd77f0321b17f0ee3e
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -3165,7 +3165,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -4371,7 +4371,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65
+        checksum/config: 0d24b57f9f10487ac37067c795ca8149ea5e775935494afd77f0321b17f0ee3e
       labels:
         app: antrea
         component: antrea-agent
@@ -4613,7 +4613,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: abf7cb1c21b730664510e8a762d967df5c620467f12bf3e0bae41df73489de65
+        checksum/config: 0d24b57f9f10487ac37067c795ca8149ea5e775935494afd77f0321b17f0ee3e
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -3165,7 +3165,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -4371,7 +4371,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e119a0592b2cef130a915258e9f23a8e4ed0aa28685841dc6f0d4b72a6983beb
+        checksum/config: 41a1c1ed5706524ad0bb2655ebf792087177625e303281e3658246a701eca329
       labels:
         app: antrea
         component: antrea-agent
@@ -4610,7 +4610,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: e119a0592b2cef130a915258e9f23a8e4ed0aa28685841dc6f0d4b72a6983beb
+        checksum/config: 41a1c1ed5706524ad0bb2655ebf792087177625e303281e3658246a701eca329
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -3178,7 +3178,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -4384,7 +4384,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 373bbb8d6a42a8f3e546ea446fd078c04e947093e68e0c1c973f4c696bf8d607
+        checksum/config: eb5f06767bd483472a70515a7055416d9904e0c08c4fa8563b5955937008750e
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -4669,7 +4669,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 373bbb8d6a42a8f3e546ea446fd078c04e947093e68e0c1c973f4c696bf8d607
+        checksum/config: eb5f06767bd483472a70515a7055416d9904e0c08c4fa8563b5955937008750e
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -3165,7 +3165,7 @@ data:
       # IPFIX flow records from each agent to a configured collector. To enable this
       # feature, you need to set "enable" to true, and ensure that the FlowExporter
       # feature gate is also enabled.
-      enable: false
+      enable: true
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
       # using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
@@ -4371,7 +4371,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7e1d1a60a99fdbe25ff10b92e85ff234a5769c02bd9ae0ead56a3fe0a8ad118d
+        checksum/config: 4b484dbf100647570cc3ab0bacb16d2207918c8258d58d24f172efe14b62512f
       labels:
         app: antrea
         component: antrea-agent
@@ -4610,7 +4610,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 7e1d1a60a99fdbe25ff10b92e85ff234a5769c02bd9ae0ead56a3fe0a8ad118d
+        checksum/config: 4b484dbf100647570cc3ab0bacb16d2207918c8258d58d24f172efe14b62512f
       labels:
         app: antrea
         component: antrea-controller

build/yamls/flow-aggregator.yml

@@ -219,7 +219,7 @@ data:
     # clickHouse contains ClickHouse related configuration options.
     clickHouse:
       # Enable is the switch to enable exporting flow records to ClickHouse.
-      enable: false
+      enable: true
 
       # Database is the name of database where Antrea "flows" table is created.
       database: "default"

cmd/antrea-agent/agent.go

@@ -39,6 +39,7 @@ import (
 	"antrea.io/antrea/pkg/agent/controller/egress"
 	"antrea.io/antrea/pkg/agent/controller/ipseccertificate"
 	"antrea.io/antrea/pkg/agent/controller/networkpolicy"
+	"antrea.io/antrea/pkg/agent/controller/networkpolicy/l7engine"
 	"antrea.io/antrea/pkg/agent/controller/noderoute"
 	"antrea.io/antrea/pkg/agent/controller/serviceexternalip"
 	"antrea.io/antrea/pkg/agent/controller/traceflow"
@@ -691,6 +692,7 @@ func run(o *Options) error {
 
 	if features.DefaultFeatureGate.Enabled(features.TrafficControl) {
 		tcController := trafficcontrol.NewTrafficControlController(ofClient,
+			crdClient,
 			ifaceStore,
 			ovsBridgeClient,
 			ovsCtlClient,
@@ -699,6 +701,9 @@ func run(o *Options) error {
 			namespaceInformer,
 			podUpdateChannel)
 		go tcController.Run(stopCh)
+		if features.DefaultFeatureGate.Enabled(features.L7Visibility) {
+			go l7engine.Run(tcController)
+		}
 	}
 
 	//  Start the localPodInformer

go.mod

@@ -207,3 +207,5 @@ require (
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
+
+replace github.com/vmware/go-ipfix v0.6.1 => github.com/tushartathgur/go-ipfix v0.0.0-20230714214305-c3c7a13353f8

go.sum

@@ -1047,6 +1047,8 @@ github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhV
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 h1:uruHq4dN7GR16kFc5fp3d1RIYzJW5onx8Ybykw2YQFA=
+github.com/tushartathgur/go-ipfix v0.0.0-20230714214305-c3c7a13353f8 h1:5f0hm5NzcSY4tKiKInkCGLnps+DDWEVK5qV9wYnE9/g=
+github.com/tushartathgur/go-ipfix v0.0.0-20230714214305-c3c7a13353f8/go.mod h1:dGCppoeqknr9o3yz9BD74mP/FPHgefb6v34xdUKxDPI=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
@@ -1064,8 +1066,6 @@ github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f h1:p4VB7kIXpOQvVn1ZaTIVp+3vuYAXFe3OJEvjbUYJLaA=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vmware/go-ipfix v0.6.1 h1:6Gh4kuUkPwetEJ6dWxlz029qwgFBXtcYYVWuiqy0Zgo=
-github.com/vmware/go-ipfix v0.6.1/go.mod h1:dGCppoeqknr9o3yz9BD74mP/FPHgefb6v34xdUKxDPI=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=