Open
Conversation
Owner
Author
|
/test-e2e |
1 similar comment
Owner
Author
|
/test-e2e |
Owner
Author
|
/test-windows-e2e |
2 similar comments
Owner
Author
|
/test-windows-e2e |
Owner
Author
|
/test-windows-e2e |
Fixes antrea-io#6648 Signed-off-by: Harsh Gupta <notsoharsh13@gmail.com>
Signed-off-by: KMAnju-2021 <km074btcse18@igdtuw.ac.in>
…rea-io#7196) Fixes antrea-io#7135 Signed-off-by: Deepanshu Bisht <deepanshudb1@gmail.com>
…ntrea-io#7202) The root cause of the flaky failure is one case is designed with multiple local members of a stale Multicast group. According to latest implementation, the mcast_controller will send IGMP leave event standing for all the local members one by one. And there exists two separate goroutines, eventHandler and worker. The worker may take different actions with the OpenFlow group according to the cached GroupMemberStatus in the runtime, e.g., 1. if there exists other local members (the event handler does not remove other stale local members) then the worker will re-install the OpenFlow group to update the local members, 2. if all local members are removed from the cache, the worker will un-install the OpenFlow group. Finally the OpenFlow group is removed. To remove the flaky cases, this change use "MaxTimes" to mock the call with ofClient.InstallMulticastGroup on such Mutlicast groups. Signed-off-by: Wenying Dong <wenying.dong@broadcom.com>
…ntrea-io#7203) This reverts commit e41b66d. Signed-off-by: KMAnju-2021 <km074btcse18@igdtuw.ac.in>
* RuleBuilder encapsulates all inputs to `AddIngress` and `AddEgress`
* Callers to AddIngress and AddEgress can now create a builder with
a subset of inputs instead of passing in a bunch of nils/empty
strings
* Removes AddIngressForSrcPort
* RuleBuilder interface has GetIngress/Egress so that the building of
the Rules can be done outside of AddIngress/Egress
* Adding Egress no longer requires creating a temporary spec builder,
calling Ingress then modifying it to be an Egress rule
* Instead, the transform of a rule from Ingress to Egress can happen
in a smaller simply toEgress method
* Adds BaseRuleBuilder for properties common to both ANP and CNP
* Adds ANP/CNPRuleBuilders who's GetIngress/Egress implementations can
handle the unique CNP vs ANP needs
Signed-off-by: Peter Tran <peter-pt.tran@broadcom.com>
) SecondaryNetwork allows multicast traffic to be transmitted over a separate network. While OVS bridges natively support multicast, multicast snooping is disabled by default. This causes multicast traffic to be flooded to all ports, which is inefficient in large environments. This patch introduces a configuration parameter, enableMulticastSnooping, that enables multicast snooping on the bridge associated with a SecondaryNetwork. With snooping enabled, the bridge learns multicast group memberships and forwards multicast traffic only to ports with interested receivers. Signed-off-by: Quan Tian <quan.tian@broadcom.com>
Fixes antrea-io#6570 We decouple ICMP probe sending from latency reporting in the NodeLatencyMonitor to get more meaningful timestamps in the latency reports. We also enforce a minimum time interval between two consecutive reports. Signed-off-by: Harsh Gupta <notsoharsh13@gmail.com>
Bumps [github.com/osrg/gobgp/v3](https://github.com/osrg/gobgp) from 3.36.0 to 3.37.0. - [Release notes](https://github.com/osrg/gobgp/releases) - [Changelog](https://github.com/osrg/gobgp/blob/master/.goreleaser.yml) - [Commits](osrg/gobgp@v3.36.0...v3.37.0) --- updated-dependencies: - dependency-name: github.com/osrg/gobgp/v3 dependency-version: 3.37.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…7207) Bumps the trivy-actions group with 1 update: [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action). Updates `aquasecurity/trivy-action` from 0.30.0 to 0.31.0 - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@0.30.0...0.31.0) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.31.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: trivy-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Improve logging in NodePortLocal controller * Use structured logging consistently in handleAddUpdatePod. * Increase verbosity level of "IP address not set for Pod" log. * Add new logs when a rule is added / deleted. While the iptables-based implementation of NPL will also log a message, it doesn't include the Pod name, which makes troubleshooting issues harder. Signed-off-by: Antonin Bas <antonin.bas@broadcom.com> * Address review comments Signed-off-by: Antonin Bas <antonin.bas@broadcom.com> --------- Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
…o#7197) * Add custom clusterID to flowaggregator config * When it is set, it is added to the flow record in lieu of the generated clusterUUID Fixes antrea-io#7131 Signed-off-by: Peter Tran <peter-pt.tran@broadcom.com>
* adds `protocolFilter` config under `FlowExporter` * when specified, only flows with the specified protocols are exported * when unsupported protocols specified, a warning is logged * by default, everything continues to be exported as before Fixes antrea-io#7117 Signed-off-by: Andrew Su <andrew.su@broadcom.com> Signed-off-by: Peter Tran <peter-pt.tran@broadcom.com>
The following agent functions require netns of a container network interface: * Create or update a Pod secondary interface. * Delete a Pod secondary interface and clean up its state. * Restore the original name of a SR-IOV VF interface after it is removed from the container netns. If the container netns info is not persisted, these functions may break after agent restarts. This commit stores netns in the interface store, and writes it to an OVS port external ID with a Pod's primary or a secondary VLAN interface and restores it into the interface store after agent restarts. Signed-off-by: Jianjun Shen <shenj@vmware.com>
If configureContainerLinkVeth fails, either while disabling TX checksum offloading or configuring IPAM, the veth interfaces are left behind in a broken state. Subsequent retries by the controller will fail to create the veth again because they already exist. This patch performs proper cleanup, allowing retries to succeed. Signed-off-by: Quan Tian <quan.tian@broadcom.com>
…#7208) When switching to a buffered exporter in antrea-io#6998, the exporter code was "optimized" a bit too agressively, and we ended up in a situation where data records with a template ID of 0 could be exported. The template ID should be set explicitly for all IPFIX records to account for the following: 1) the template ID may not always match between the FlowExporter (Agent) and the FlowAggregator, even though it is the case today. 2) when there is version skew between the FlowExporter and the FlowAggregator, and IEs are either added or removed, the FA preprocessor resets the template ID of data records to 0 to avoid confusion (mutated data record no longer matches original template ID), which means that the correct template ID must be set at export time. Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Signed-off-by: Aryan Bakliwal <aryanbakliwal12345@gmail.com>
Bumps [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) from 5 to 6. - [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases) - [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md) - [Commits](stefanzweifel/git-auto-commit-action@v5...v6) --- updated-dependencies: - dependency-name: stefanzweifel/git-auto-commit-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Lan Luo <lan.luo@broadcom.com>
In the container network namespace, it should be the container interface name, instead of the host interface name. Signed-off-by: Quan Tian <quan.tian@broadcom.com>
The current implementation excludes the entire Service CIDR from Egress SNAT, not just the Services specified in `antreaProxy.skipServices`. Relevant code path: - https://github.com/antrea-io/antrea/blob/23b12810fe9b3bd3a910755ea6fbc09a2e71a970/pkg/agent/openflow/pipeline.go#L2183 - https://github.com/antrea-io/antrea/blob/23b12810fe9b3bd3a910755ea6fbc09a2e71a970/pkg/agent/openflow/client.go#L1047 - https://github.com/antrea-io/antrea/blob/23b12810fe9b3bd3a910755ea6fbc09a2e71a970/pkg/agent/controller/egress/egress_controller.go#L388 Signed-off-by: Hongliang Liu <hongliang.liu@broadcom.com>
Bumps the golang-org-x group with 6 updates: | Package | From | To | | --- | --- | --- | | [golang.org/x/crypto](https://github.com/golang/crypto) | `0.38.0` | `0.39.0` | | [golang.org/x/mod](https://github.com/golang/mod) | `0.24.0` | `0.25.0` | | [golang.org/x/net](https://github.com/golang/net) | `0.40.0` | `0.41.0` | | [golang.org/x/sync](https://github.com/golang/sync) | `0.14.0` | `0.15.0` | | [golang.org/x/time](https://github.com/golang/time) | `0.11.0` | `0.12.0` | | [golang.org/x/tools](https://github.com/golang/tools) | `0.33.0` | `0.34.0` | Updates `golang.org/x/crypto` from 0.38.0 to 0.39.0 - [Commits](golang/crypto@v0.38.0...v0.39.0) Updates `golang.org/x/mod` from 0.24.0 to 0.25.0 - [Commits](golang/mod@v0.24.0...v0.25.0) Updates `golang.org/x/net` from 0.40.0 to 0.41.0 - [Commits](golang/net@v0.40.0...v0.41.0) Updates `golang.org/x/sync` from 0.14.0 to 0.15.0 - [Commits](golang/sync@v0.14.0...v0.15.0) Updates `golang.org/x/time` from 0.11.0 to 0.12.0 - [Commits](golang/time@v0.11.0...v0.12.0) Updates `golang.org/x/tools` from 0.33.0 to 0.34.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.33.0...v0.34.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.39.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org-x - dependency-name: golang.org/x/mod dependency-version: 0.25.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org-x - dependency-name: golang.org/x/net dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org-x - dependency-name: golang.org/x/sync dependency-version: 0.15.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org-x - dependency-name: golang.org/x/time dependency-version: 0.12.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org-x - dependency-name: golang.org/x/tools dependency-version: 0.34.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-org-x ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/ti-mo/conntrack](https://github.com/ti-mo/conntrack) from 0.5.1 to 0.5.2. - [Release notes](https://github.com/ti-mo/conntrack/releases) - [Commits](ti-mo/conntrack@v0.5.1...v0.5.2) --- updated-dependencies: - dependency-name: github.com/ti-mo/conntrack dependency-version: 0.5.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…or (antrea-io#7212) We add mTLS support to secure communications between the FlowAggregator and an external IPFIX collector. A new `flowCollector.tls` section is added to the FlowAggregator configuration. In particular, users can provide the name of a Secret (in the same Namespace as the FlowAggregator) containing the CA certificate used to authenticate the destination collector, as well as the name of a Secret (again, in the same Namespace as the FlowAggregator) containing the TLS certificate / key used to authenticate to the destination collector. The go-ipfix library is updated to v0.15.0. The new version adds support for some new TLS configuration parameters, and adds mTLS support to the reference ipfix-collector (used for e2e testing of the FlowAggregator). Fixes antrea-io#7081 Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
Signed-off-by: Lan Luo <lan.luo@broadcom.com>
Signed-off-by: github-actions <github-actions@github.com> Co-authored-by: github-actions <github-actions@github.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Lan Luo <lan.luo@broadcom.com> Co-authored-by: Lan Luo <lan.luo@broadcom.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ntrea-io#7611) In hybrid traffic mode, when a connection’s destination IP belongs to the Egress Node (not the Node IPs or Egress IPs), the Node should apply the Egress policy-routing rules so that reply packets re-enter the OVS pipeline. However, the current implementation does not apply policy routing for such locally destined flows, causing the Egress Node to bypass the OVS path and fail to handle the connection correctly. This patch ensures that reply packets for connections targeting the Egress Node are processed through the expected policy-routing path and forwarded to OVS in hybrid mode. Signed-off-by: Hongliang Liu <hongliang.liu@broadcom.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…rea-io#7623) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…to true (antrea-io#7620) Like feature gate EndpointSlice, TopologyAwareHints and ServiceTrafficDistribution are enabled in AntreaProxy by default now, and the corresponding features gate are not consumed by AntreaProxy anymore. As a result, lock them to true. Signed-off-by: Hongliang Liu <hongliang.liu@broadcom.com>
….9.0 [security] (antrea-io#7622) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Skipping unit tests for all features explicitly listed as unsupported on Windows (e.g., NodeLatencyMonitor, Egress). This change was initiated following the observation of flaky failures in monitor tool Windows unit tests. Disabling all related tests improves CI stability and releases resources. Signed-off-by: Shuyang Xin <shuyang.xin@broadcom.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* adds code coverage in networkpolicy package for networkPolicyController's getAffectedNamespacesForAppliedto Signed-off-by: Peter Tran <peter-pt.tran@broadcom.com>
The L7FlowExporter was officially deprecated in Antrea v2.5, and we are removing it in Antrea v2.6. The feature implementation is fully removed and the documentation is updated accordingly. Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
We deprecate the App field in the Flow Protobuf used to export records from the Agent to the Flow Aggregator. We stop exporting App data in the Agent (Flow Exporter), and we stop consuming App data in the Flow Aggregator. In the Flow Aggregator, the various exporters no longer export the corresponding fields. The IPFIX exporter no longer includes the corresponding Information Elements. The ClickHouse client no longer sets the corresponding fields in insert statements. The S3 uploader no longer includes the corresponding fields in CSV records. Note that Theia was never updated to support L7 fields (appProtocolName and httpVals). Other potential consumers of the S3 uploader may need to be updated after this change (not backward-compatible), which we think is acceptable. Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
…trea-io#7559) This addresses an issue where having multiple replicas of flow-aggregator will cause it to clobber each other's certificates. We now only try to create it if it is invalid (does not exist/expired). The root CA certificate and key is shared amongst all instances. Each replica is responsible for generating their own server certificates. Client certs and the CA ConfigMap will be created/updated if it is invalid or is incompatible with the CA certificate. e2e tests will use multiple replicas when testing the flow-aggregator in Proxy mode. Fixes antrea-io#7540
…ntrea-io#7631) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…7636) This patch fixes that ProxyServer can be nil if AntreaProxy is not enabled, causing antrea-agent crash by a nil pointer. Signed-off-by: Hongliang Liu <hongliang.liu@broadcom.com>
Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
The test was failing when WireGuard encryption is enabled because it expects gateway routes for encap mode, but WireGuard doesn't require gateway routes since it handles routing through its own interface. This commit adds encryption mode detection to the test framework and updates the test to expect 0 gateway routes when WireGuard is enabled with encap mode. Signed-off-by: xliuxu <xu.liu@broadcom.com>
…io#7653) Signed-off-by: Hongliang Liu <hongliang.liu@broadcom.com>
…7652) No space left issue on /tmp was observed when running Multi-cluster e2e: `mkdir /tmp/go-build2473123557/b1104/: no space left on device` Fix it by mounting cache instead of writing files to /tmp Signed-off-by: Lan Luo <lan.luo@broadcom.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Lan Luo <lan.luo@broadcom.com>
…rea-io#7651) Introduce a new antrea-sysctl-init command to run as an init container before Antrea components start. The command creates a dedicated sysctl.d configuration file containing Antrea-specific sysctl settings required by features that rely on policy routing (e.g. Egress). The sysctl configuration applies only to the interfaces managed by Antrea. A relatively high filename prefix is used so that the Antrea- specific sysctl configuration is applied after most default distribution- or administrator-provided sysctl configuration files, while still allowing explicit higher-priority overrides when desired. This logic is intentionally implemented as an init container rather than as part of antrea-agent, to avoid modifying node-wide sysctl state during normal agent operation. Signed-off-by: Hongliang Liu <hongliang.liu@broadcom.com>
Signed-off-by: Shuyang Xin <shuyang.xin@broadcom.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.