[#7231] Add support for multi flow exporter targets via CRDs.

build/charts/antrea/README.md

@@ -99,7 +99,7 @@ Kubernetes: `>= 1.23.0-0`
 | enableBridgingMode | bool | `false` | Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected to the OVS bridge. |
 | featureGates | object | `{}` | To explicitly enable or disable a FeatureGate and bypass the Antrea defaults, add an entry to the dictionary with the FeatureGate's name as the key and a boolean as the value. |
 | flowExporter.activeFlowExportTimeout | string | `"5s"` | timeout after which a flow record is sent to the collector for active flows. |
-| flowExporter.enable | bool | `false` | Enable the flow exporter feature. |
+| flowExporter.enable | bool | `false` | Enable the static flow exporter. |
 | flowExporter.flowCollectorAddr | string | `"flow-aggregator/flow-aggregator:14739:grpc"` | IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>]. If the collector is running in-cluster as a Service, set <HOST> to <Service namespace>/<Service name>. |
 | flowExporter.flowPollInterval | string | `"5s"` | Determines how often the flow exporter polls for new connections. |
 | flowExporter.idleFlowExportTimeout | string | `"15s"` | timeout after which a flow record is sent to the collector for idle flows. |

build/charts/antrea/conf/antrea-agent.conf

@@ -254,10 +254,10 @@ enablePrometheusMetrics: {{ .Values.agent.enablePrometheusMetrics }}
 
 flowExporter:
   {{- with .Values.flowExporter }}
-  # Enable FlowExporter, a feature used to export polled conntrack connections as
-  # IPFIX flow records from each agent to a configured collector. To enable this
-  # feature, you need to set "enable" to true, and ensure that the FlowExporter
-  # feature gate is also enabled.
+  # Enable a flow exporter destination with the configuration specified here.
+  # This can be disabled which means only `FlowExporterDestination` resources
+  # will be considered for exporting. The FlowExporter FeatureGate determines
+  # whether FlowExporter is enabled.
   enable: {{ .enable }}
   # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
   # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If

build/charts/antrea/values.yaml

@@ -422,7 +422,7 @@ controller:
         memory: "100Mi"
 
 flowExporter:
-  # -- Enable the flow exporter feature.
+  # -- Enable the static flow exporter.
   enable: false
   # -- IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
   # If the collector is running in-cluster as a Service, set <HOST> to

build/yamls/antrea-aks.yml

@@ -4455,10 +4455,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter FeatureGate determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5725,7 +5725,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 19cea71ebb0d852621308d71c5ee31a965d1fd7c0bc6a4c04bd09aa7ac2c1687
+        checksum/config: 8210b1e66f6269e7d5a9c85f070a2b1e76459aefa850d7a5066b7b824f00c292
       labels:
         app: antrea
         component: antrea-agent
@@ -5973,7 +5973,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 19cea71ebb0d852621308d71c5ee31a965d1fd7c0bc6a4c04bd09aa7ac2c1687
+        checksum/config: 8210b1e66f6269e7d5a9c85f070a2b1e76459aefa850d7a5066b7b824f00c292
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -4451,10 +4451,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter FeatureGate determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5721,7 +5721,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 19cea71ebb0d852621308d71c5ee31a965d1fd7c0bc6a4c04bd09aa7ac2c1687
+        checksum/config: 8210b1e66f6269e7d5a9c85f070a2b1e76459aefa850d7a5066b7b824f00c292
       labels:
         app: antrea
         component: antrea-agent
@@ -5970,7 +5970,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 19cea71ebb0d852621308d71c5ee31a965d1fd7c0bc6a4c04bd09aa7ac2c1687
+        checksum/config: 8210b1e66f6269e7d5a9c85f070a2b1e76459aefa850d7a5066b7b824f00c292
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -4451,10 +4451,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter FeatureGate determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5712,7 +5712,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 850a3f0b6a90ccc8380a7c5681a989b0d0204183d289c8d75fd76eab8cd1161a
+        checksum/config: b09c8311a5c77d881bef59af4c7ea0c75d4c0b78dc7b5c548d77f2048c1be2b5
       labels:
         app: antrea
         component: antrea-agent
@@ -5958,7 +5958,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 850a3f0b6a90ccc8380a7c5681a989b0d0204183d289c8d75fd76eab8cd1161a
+        checksum/config: b09c8311a5c77d881bef59af4c7ea0c75d4c0b78dc7b5c548d77f2048c1be2b5
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -4464,10 +4464,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter FeatureGate determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5725,7 +5725,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: bd3bfe0a3cf17f563005ab065f7a981e07285271165795d9f1ab81bb9c0dc1e3
+        checksum/config: a9782c402bb6dbad085d0abb61931d4a21a9398bdd12794942ee8c73ef21c193
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -6017,7 +6017,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: bd3bfe0a3cf17f563005ab065f7a981e07285271165795d9f1ab81bb9c0dc1e3
+        checksum/config: a9782c402bb6dbad085d0abb61931d4a21a9398bdd12794942ee8c73ef21c193
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea.yml

@@ -4451,10 +4451,10 @@ data:
     enablePrometheusMetrics: true
 
     flowExporter:
-      # Enable FlowExporter, a feature used to export polled conntrack connections as
-      # IPFIX flow records from each agent to a configured collector. To enable this
-      # feature, you need to set "enable" to true, and ensure that the FlowExporter
-      # feature gate is also enabled.
+      # Enable a flow exporter destination with the configuration specified here.
+      # This can be disabled which means only `FlowExporterDestination` resources
+      # will be considered for exporting. The FlowExporter FeatureGate determines
+      # whether FlowExporter is enabled.
       enable: false
       # Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
       # HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
@@ -5712,7 +5712,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ce43af869242f2d5f0787dd0b9643a42f005e0426c4bfd7e3f38abda8b7718bc
+        checksum/config: ca5121f404625ca074a0c3bce23b781e7a2fb88bceb5083cc9d4883f81ce6a67
       labels:
         app: antrea
         component: antrea-agent
@@ -5958,7 +5958,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ce43af869242f2d5f0787dd0b9643a42f005e0426c4bfd7e3f38abda8b7718bc
+        checksum/config: ca5121f404625ca074a0c3bce23b781e7a2fb88bceb5083cc9d4883f81ce6a67
       labels:
         app: antrea
         component: antrea-controller

ci/kind/test-e2e-kind.sh

@@ -64,6 +64,18 @@ FLOWAGGREGATOR_YML_CMD="$THIS_DIR/../../hack/generate-manifest-flow-aggregator.s
 FLOW_VISIBILITY_HELM_VALUES="$THIS_DIR/values-flow-exporter.yml"
 CH_OPERATOR_YML="$THIS_DIR/../../build/yamls/clickhouse-operator-install-bundle.yml"
 FLOW_VISIBILITY_CHART="$THIS_DIR/../../test/e2e/charts/flow-visibility"
+KUSTOMIZATION_DIR="$THIS_DIR/../../test/e2e/kustomize"
+
+if [ -z "$KUSTOMIZE" ]; then
+    KUSTOMIZE=$(
+      source $THIS_DIR/../../hack/verify-kustomize.sh
+      verify_kustomize
+    )
+elif ! $KUSTOMIZE version > /dev/null 2>&1; then
+    echoerr "$KUSTOMIZE does not appear to be a valid kustomize binary"
+    print_help
+    exit 1
+fi
 
 function quit {
   result=$?
@@ -419,23 +431,30 @@ function run_test {
 
   if $flow_visibility; then
       timeout="45m"
-      flow_visibility_args="-run=TestFlowAggregator --flow-visibility"
+      flow_visibility_args="-run=^(TestFlowExporter|TestFlowAggregator) --flow-visibility"
       # This is needed so that the FlowAggregator is already configured to mount the Secrets
       # necessary for (m)TLS testing. The Secret names must match the ones expected by the e2e tests.
-      flow_visibility_manifest_args="--extra-helm-values flowCollector.tls.clientSecretName=ipfix-client-cert,flowCollector.tls.caSecretName=ipfix-server-ca"
+      coverage_flag=""
       if $coverage; then
-          $FLOWAGGREGATOR_YML_CMD --coverage $flow_visibility_manifest_args | docker exec -i kind-control-plane dd of=/root/flow-aggregator-coverage.yml
-      else
-          $FLOWAGGREGATOR_YML_CMD $flow_visibility_manifest_args | docker exec -i kind-control-plane dd of=/root/flow-aggregator.yml
+        coverage_flag="--coverage"
       fi
+      flow_visibility_manifest_default_args=("--extra-helm-values" "flowCollector.tls.clientSecretName=ipfix-client-cert,flowCollector.tls.caSecretName=ipfix-server-ca")
+      $FLOWAGGREGATOR_YML_CMD "${flow_visibility_manifest_default_args[@]}" ${coverage_flag} | docker exec -i kind-control-plane dd of=/root/flow-aggregator.yml
+      $FLOWAGGREGATOR_YML_CMD --extra-helm-values "aggregatorTransportProtocol=tcp" ${coverage_flag} > "$KUSTOMIZATION_DIR"/multi-flow-aggregator/base/manifest.yaml
+      $KUSTOMIZE build "$KUSTOMIZATION_DIR"/multi-flow-aggregator/overlays/flow-aggregator-1 | docker exec -i kind-control-plane dd of=/root/flow-aggregator-1.yml
+      $KUSTOMIZE build "$KUSTOMIZATION_DIR"/multi-flow-aggregator/overlays/flow-aggregator-2 | docker exec -i kind-control-plane dd of=/root/flow-aggregator-2.yml
+      rm "$KUSTOMIZATION_DIR"/multi-flow-aggregator/base/manifest.yaml
+
       $HELM template "$FLOW_VISIBILITY_CHART"  | docker exec -i kind-control-plane dd of=/root/flow-visibility.yml
       $HELM template "$FLOW_VISIBILITY_CHART" --set "secureConnection.enable=true" | docker exec -i kind-control-plane dd of=/root/flow-visibility-tls.yml
 
-      curl -o $CH_OPERATOR_YML https://raw.githubusercontent.com/Altinity/clickhouse-operator/release-0.21.0/deploy/operator/clickhouse-operator-install-bundle.yaml
-      sed -i -e "s|\"image\": \"clickhouse/clickhouse-server:22.3\"|\"image\": \"antrea/clickhouse-server:23.4\"|g" $CH_OPERATOR_YML
-      sed -i -e "s|image: altinity/clickhouse-operator:0.21.0|image: antrea/clickhouse-operator:0.21.0|g" $CH_OPERATOR_YML
-      sed -i -e "s|image: altinity/metrics-exporter:0.21.0|image: antrea/metrics-exporter:0.21.0|g" $CH_OPERATOR_YML
-      cat $CH_OPERATOR_YML | docker exec -i kind-control-plane dd of=/root/clickhouse-operator-install-bundle.yml
+      curl -o "$CH_OPERATOR_YML" https://raw.githubusercontent.com/Altinity/clickhouse-operator/release-0.21.0/deploy/operator/clickhouse-operator-install-bundle.yaml
+      sed -i -e "s|\"image\": \"clickhouse/clickhouse-server:22.3\"|\"image\": \"antrea/clickhouse-server:23.4\"|g" "$CH_OPERATOR_YML"
+      sed -i -e "s|image: altinity/clickhouse-operator:0.21.0|image: antrea/clickhouse-operator:0.21.0|g" "$CH_OPERATOR_YML"
+      sed -i -e "s|image: altinity/metrics-exporter:0.21.0|image: antrea/metrics-exporter:0.21.0|g" "$CH_OPERATOR_YML"
+      cat "$CH_OPERATOR_YML" | docker exec -i kind-control-plane dd of=/root/clickhouse-operator-install-bundle.yml
+
+      printf '%s' "$flow_visibility_protocol" | docker exec -i kind-control-plane dd of=/root/test-flow-visibility-protocol.txt
   fi
 
   if [[ "$kube_proxy_mode" == "none" ]]; then

cmd/antrea-agent/agent.go

@@ -132,6 +132,7 @@ func run(o *Options) error {
 	endpointSliceInformer := informerFactory.Discovery().V1().EndpointSlices()
 	namespaceInformer := informerFactory.Core().V1().Namespaces()
 	nodeLatencyMonitorInformer := crdInformerFactory.Crd().V1alpha1().NodeLatencyMonitors()
+	flowExporterDestinationInformer := crdInformerFactory.Crd().V1alpha1().FlowExporterDestinations()
 
 	// Create Antrea Clientset for the given config.
 	antreaClientProvider, err := client.NewAntreaClientProvider(o.config.AntreaClientConnection, k8sClient)
@@ -160,7 +161,7 @@ func run(o *Options) error {
 	enableMulticlusterGW := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableGateway
 	_, multiclusterEncryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.Multicluster.TrafficEncryptionMode)
 	enableMulticlusterNP := features.DefaultFeatureGate.Enabled(features.Multicluster) && o.config.Multicluster.EnableStretchedNetworkPolicy
-	enableFlowExporter := features.DefaultFeatureGate.Enabled(features.FlowExporter) && o.config.FlowExporter.Enable
+	enableFlowExporter := features.DefaultFeatureGate.Enabled(features.FlowExporter)
 	var nodeIPTracker *nodeip.Tracker
 	if o.nodeType == config.K8sNode {
 		nodeIPTracker = nodeip.NewTracker(nodeInformer)
@@ -714,37 +715,39 @@ func run(o *Options) error {
 	if enableFlowExporter {
 		podStore = objectstore.NewPodStore(localPodInformer.Get())
 		flowExporterOptions := &flowexporteroptions.FlowExporterOptions{
-			FlowCollectorAddr:      o.flowCollectorAddr,
-			FlowCollectorProto:     o.flowCollectorProto,
-			ActiveFlowTimeout:      o.activeFlowTimeout,
-			IdleFlowTimeout:        o.idleFlowTimeout,
-			StaleConnectionTimeout: o.staleConnectionTimeout,
-			PollInterval:           o.pollInterval,
-			ConnectUplinkToBridge:  connectUplinkToBridge,
-			ProtocolFilter:         o.config.FlowExporter.ProtocolFilter,
+			EnableStaticDestination: o.config.FlowExporter.Enable,
+			FlowCollectorAddr:       o.flowCollectorAddr,
+			FlowCollectorProto:      o.flowCollectorProto,
+			ActiveFlowTimeout:       o.activeFlowTimeout,
+			IdleFlowTimeout:         o.idleFlowTimeout,
+			StaleConnectionTimeout:  o.staleConnectionTimeout,
+			PollInterval:            o.pollInterval,
+			ConnectUplinkToBridge:   connectUplinkToBridge,
+			ProtocolFilter:          o.config.FlowExporter.ProtocolFilter,
 		}
 		flowExporter, err = flowexporter.NewFlowExporter(
-			podStore,
-			proxyQuerier,
 			k8sClient,
+			flowExporterDestinationInformer,
+			nodeConfig,
 			nodeRouteController,
+			podStore,
+			proxyQuerier,
+			egressController,
+			networkPolicyController,
+			podNetworkWait,
 			networkConfig.TrafficEncapMode,
-			nodeConfig,
 			v4Enabled,
 			v6Enabled,
 			serviceCIDRNet,
 			serviceCIDRNetv6,
 			ovsDatapathType,
 			o.enableAntreaProxy,
-			networkPolicyController,
 			flowExporterOptions,
-			egressController,
-			podNetworkWait,
 		)
 		if err != nil {
 			return fmt.Errorf("error when creating IPFIX flow exporter: %v", err)
 		}
-		networkPolicyController.SetDenyConnStore(flowExporter.GetDenyConnStore())
+		networkPolicyController.SetNotifier(flowExporter.GetDenyConnStoreNotifier())
 	}
 
 	log.StartLogFileNumberMonitor(stopCh)

cmd/antrea-agent/options.go

@@ -292,7 +292,7 @@ func (o *Options) validateAntreaProxyConfig(encapMode config.TrafficEncapModeTyp
 }
 
 func (o *Options) validateFlowExporterConfig() error {
-	if features.DefaultFeatureGate.Enabled(features.FlowExporter) && o.config.FlowExporter.Enable {
+	if features.DefaultFeatureGate.Enabled(features.FlowExporter) {
 		if features.DefaultFeatureGate.Enabled(features.AntreaIPAM) {
 			klog.InfoS("The FlowExporter feature does not support AntreaIPAM Pods")
 		}