vmware-tanzu · joshrosso · Jul 7, 2021 · Jul 6, 2021 · Jul 7, 2021 · Jul 7, 2021
@@ -0,0 +1,34 @@
+# antrea Package
+
+This package provides networking and network security solution for containers using [antrea](https://antrea.io/).
+
+## Components
+
+## Configuration
+
+The following configuration values can be set to customize the antrea installation.
+
+### Global
+
+| Value | Required/Optional | Description |
+|-------|-------------------|-------------|
+| `namespace` | Optional | The namespace in which to deploy antrea. |
+| `infraProvider` | Required | The cloud provider in use. One of: `aws`, `azure`, `vsphere`, `docker`. |
+
+### antrea Configuration
+
+| Value | Required/Optional | Description |
+|-------|-------------------|-------------|
+| `antrea.config.serviceCIDR` | Optional | The service CIDR to use. Default: `10.96.0.0/12` |
+| `antrea.config.trafficEncapMode` | Optional | The traffic encapsulation mode. Default: `encap` |
+| `antrea.config.noSNAT` | Optional | Boolean flag to enable/disable SNAT. Default: `false`. |
+| `antrea.config.defaultMTU` | Optional | MTU to use. Default: `null` (Antrea will autodetect). |
+| `antrea.config.featureGates.AntreaProxy` | Optional | Boolean flag to enable/disable antrea proxy. Default: `false`. |
+| `antrea.config.featureGates.AntreaPolicy` | Optional | Boolean flag to enable/disable antrea policy. Default: `true`. |
+| `antrea.config.featureGates.AntreaTraceFlow` | Optional | Boolean flag to enable/disable antrea traceflow. Default: `false`. |
+| `antrea.config.featureGates.FlowExporter`| Optional | Boolean flag to enable/disable flow exporter. Default: `false`. |
+| `antrea.config.featureGates.NetworkPolicyStats` | Optional | Boolean flag to enable/disable network policy stats. Default: `false`. |
+
+## Usage Example
+
+To learn more about how to use antrea refer to [antrea documentation](https://antrea.io/docs/v0.11.3/)
@@ -0,0 +1,9 @@
+apiVersion: imgpkg.carvel.dev/v1alpha1
+kind: Bundle
+metadata:
+  name: antrea
+authors:
+- name: Shyaam Nagarajan 
+  email: nagarajans@vmware.com
+websites:
+- url: antrea.io
@@ -0,0 +1,7 @@
+---
+apiVersion: imgpkg.carvel.dev/v1alpha1
+images:
+- annotations:
+    kbld.carvel.dev/id: antrea/antrea-ubuntu:v0.13.3
+  image: index.docker.io/antrea/antrea-ubuntu@sha256:f9529d7225ffc52683c596f83f329a38d1dd425a2c174f079d9966ab540ffe30
+kind: ImagesLock
@@ -0,0 +1,8 @@
+apiVersion: kapp.k14s.io/v1alpha1
+kind: Config
+rebaseRules:
+- path: [data]
+  type: copy
+  sources: [existing, new]
+  resourceMatchers:
+  - kindNamespaceNameMatcher: {kind: ConfigMap, namespace: kube-system, name: antrea-ca}
@@ -0,0 +1,273 @@
+#@ load("@ytt:overlay", "overlay")
+#@ load("@ytt:yaml", "yaml")
+#@ load("/values.star", "values")
+
+#@ def antrea_agent_conf():
+
+#! FeatureGates is a map of feature names to bools that enable or disable experimental features.
+featureGates:
+#! Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent.
+#! It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
+#! Service traffic.
+  AntreaProxy: #@ values.antrea.config.featureGates.AntreaProxy
+
+#! Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice
+#! API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled,
+#! this flag will not take effect.
+  EndpointSlice: #@ values.antrea.config.featureGates.EndpointSlice
+
+#! Enable traceflow which provides packet tracing feature to diagnose network issue.
+  Traceflow: #@ values.antrea.config.featureGates.AntreaTraceflow
+
+#! Enable NodePortLocal feature to make the pods reachable externally through NodePort
+  NodePortLocal: #@ values.antrea.config.featureGates.NodePortLocal
+
+#! Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
+#! to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
+#! feature that supports priorities, rule actions and externalEntities in the future.
+  AntreaPolicy: #@ values.antrea.config.featureGates.AntreaPolicy
+
+#! Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
+#! agent to a configured collector.
+  FlowExporter: #@ values.antrea.config.featureGates.FlowExporter
+
+#! Enable collecting and exposing NetworkPolicy statistics.
+  NetworkPolicyStats: #@ values.antrea.config.featureGates.NetworkPolicyStats
+
+#! Name of the OpenVSwitch bridge antrea-agent will create and use.
+#! Make sure it doesn't conflict with your existing OpenVSwitch bridges.
+#!ovsBridge: br-int
+
+#! Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
+#! - system
+#! - netdev
+#! 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
+#! OVS in userspace mode. Userspace mode requires the tun device driver to be available.
+#@ if values.infraProvider == "docker":
+ovsDatapathType: netdev
+#@ end
+
+#! Name of the interface antrea-agent will create and use for host <--> pod communication.
+#! Make sure it doesn't conflict with your existing interfaces.
+#!hostGateway: antrea-gw0
+
+#! Determines how traffic is encapsulated. It has the following options:
+#! encap(default):    Inter-node Pod traffic is always encapsulated and Pod to external network
+#!                    traffic is SNAT'd.
+#! noEncap:           Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
+#!                    SNAT'd if noSNAT is not set to true. Underlying network must be capable of
+#!                    supporting Pod traffic across IP subnets.
+#! hybrid:            noEncap if source and destination Nodes are on the same subnet, otherwise encap.
+#! networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod
+#!                    IPAM and connectivity to the primary CNI.
+#!
+trafficEncapMode: #@ values.antrea.config.trafficEncapMode
+
+#! Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network.
+#! This option is for the noEncap traffic mode only, and the default value is false. In the noEncap
+#! mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to
+#! the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never
+#! performs SNAT and this option will be ignored; for other modes it must be set to false.
+noSNAT: #@ values.antrea.config.noSNAT
+
+#! Tunnel protocols used for encapsulating traffic across Nodes. Supported values:
+#! - geneve (default)
+#! - vxlan
+#! - gre
+#! - stt
+#!tunnelType: geneve
+
+#! Default MTU to use for the host gateway interface and the network interface of each Pod.
+#! If omitted, antrea-agent will discover the MTU of the Node's primary interface and
+#! also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
+#@ if/end values.antrea.config.defaultMTU:
+defaultMTU: #@ values.antrea.config.defaultMTU
+
+#! Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported
+#! for the GRE tunnel type.
+#!enableIPSecTunnel: false
+
+#! ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
+#! set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
+#! AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
+#!serviceCIDR: 10.96.0.0/12
+serviceCIDR: #@ values.antrea.config.serviceCIDR
+
+#! ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
+#! cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
+#! --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
+#! No default value for this field.
+#!serviceCIDRv6:
+
+#! The port for the antrea-agent APIServer to serve on.
+#! Note that if it's set to another value, the `containerPort` of the `api` port of the
+#! `antrea-agent` container must be set to the same value.
+#!apiPort: 10350
+
+#! Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
+#!enablePrometheusMetrics: true
+
+#! Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
+#! HOST can either be the DNS name or the IP of the Flow Collector. For example,
+#! "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect
+#! to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6.
+#! However, IPv6 address should be wrapped with [].
+#! If PORT is empty, we default to 4739, the standard IPFIX port.
+#! If no PROTO is given, we consider "tcp" as default. We support "tcp" and "udp"
+#! L4 transport protocols.
+#!flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tcp"
+
+#! Provide flow poll interval as a duration string. This determines how often the flow exporter dumps connections from the conntrack module.
+#! Flow poll interval should be greater than or equal to 1s (one second).
+#! Valid time units are "ns", "us" (or "Âµs"), "ms", "s", "m", "h".
+#!flowPollInterval: "5s"
+
+#! Provide flow export frequency, which is the number of poll cycles elapsed before flow exporter exports flow records to
+#! the flow collector.
+#! Flow export frequency should be greater than or equal to 1.
+#!flowExportFrequency: 12
+
+#! Enable TLS communication from flow exporter to flow aggregator.
+#!enableTLSToFlowAggregator: true
+
+#! Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port from that range will be assigned
+#! whenever a Pod's container defines a specific port to be exposed (each container can define a list of ports as pod.spec.containers[].ports),
+#! and all Node traffic directed to that port will be forwarded to the Pod.
+#!nplPortRange: 40000-41000
+
+#! Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
+#! Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
+#!kubeAPIServerOverride: ""
+
+#! Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+#! https://golang.org/pkg/crypto/tls/#pkg-constants
+#! Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+#! prefer TLS1.3 Cipher Suites whenever possible.
+tlsCipherSuites: #@ values.antrea.config.tlsCipherSuites
+
+#! TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+#!tlsMinVersion:
+
+#@ end
+
+
+#@ def antrea_controller_conf():
+
+#! FeatureGates is a map of feature names to bools that enable or disable experimental features.
+featureGates:
+#! Enable traceflow which provides packet tracing feature to diagnose network issue.
+  Traceflow: #@ values.antrea.config.featureGates.AntreaTraceflow
+
+#! Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
+#! to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
+#! feature that supports priorities, rule actions and externalEntities in the future.
+  AntreaPolicy: #@ values.antrea.config.featureGates.AntreaPolicy
+
+#! Enable collecting and exposing NetworkPolicy statistics.
+  NetworkPolicyStats: #@ values.antrea.config.featureGates.NetworkPolicyStats
+
+#! The port for the antrea-controller APIServer to serve on.
+#! Note that if it's set to another value, the `containerPort` of the `api` port of the
+#! `antrea-controller` container must be set to the same value.
+#!apiPort: 10349
+
+#! Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
+#!enablePrometheusMetrics: true
+
+#! Indicates whether to use auto-generated self-signed TLS certificate.
+#! If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
+#!   ca.crt: <CA certificate>
+#!   tls.crt: <TLS certificate>
+#!   tls.key: <TLS private key>
+#! And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+#! antrea-controller container.
+selfSignedCert: true
+
+#! Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
+#! https://golang.org/pkg/crypto/tls/#pkg-constants
+#! Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
+#! prefer TLS1.3 Cipher Suites whenever possible.
+tlsCipherSuites: #@ values.antrea.config.tlsCipherSuites
+
+#! TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+#!tlsMinVersion:
+
+#! Enable usage reporting (telemetry) to VMware.
+#!enableUsageReporting: false
+
+#! enterpriseAntrea: true
+
+#@ end
+
+#@overlay/match by=overlay.subset({"kind":"ConfigMap","metadata":{"name": "antrea-ca"}})
+---
+kind: ConfigMap
+metadata:
+  name: antrea-ca
+  #@overlay/match missing_ok=True
+  annotations:
+    kapp.k14s.io/versioned: ""
+
+#@overlay/match by=overlay.subset({"kind":"ConfigMap","metadata":{"name": "antrea-config-ctb8mftc58"}})
+---
+kind: ConfigMap
+metadata:
+  name: antrea-config-ctb8mftc58
+  annotations:
+    #@overlay/match missing_ok=True
+    kapp.k14s.io/versioned: ""
+data:
+  antrea-agent.conf: #@ yaml.encode(antrea_agent_conf())
+  antrea-controller.conf: #@ yaml.encode(antrea_controller_conf())
+
+#@overlay/match by=overlay.subset({"kind":"Deployment","metadata":{"name": "antrea-controller"}})
+---
+kind: Deployment
+metadata:
+  name: antrea-controller
+  #@overlay/match missing_ok=True
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
+
+
+#@overlay/match by=overlay.subset({"kind":"DaemonSet","metadata":{"name": "antrea-agent"}})
+---
+kind: DaemonSet
+metadata:
+  #@overlay/match missing_ok=True
+  annotations:
+    kapp.k14s.io/disable-default-label-scoping-rules: ""
+spec:
+  template:
+    spec:
+      containers:
+        #@ if values.infraProvider == "docker":
+        #@overlay/match by=overlay.subset({"name":"antrea-ovs"})
+        - command:
+          #@overlay/match by=overlay.subset("start_ovs")
+          #@overlay/replace
+            - start_ovs_netdev
+
+        #@overlay/match by=overlay.subset({"name":"antrea-ovs"})
+        - volumeMounts:
+          #@overlay/append
+            - mountPath: /dev/net/tun
+              name: dev-tun
+        #@ end
+
+      initContainers:
+        #@ if values.infraProvider == "docker":
+        #@overlay/match by=overlay.subset({"name":"install-cni"})
+        - command:
+          #@overlay/match by=overlay.subset("install_cni")
+          #@overlay/replace
+            - install_cni_kind
+        #@ end
+      volumes:
+      #@ if values.infraProvider == "docker":
+      #@overlay/append
+        - hostPath:
+            path: /dev/net/tun
+            type: CharDevice
+          name: dev-tun
+      #@ end