Add BGPPolicy controller

Signed-off-by: Hongliang Liu <lhongliang@vmware.com>

build/charts/antrea/README.md

@@ -64,6 +64,7 @@ Kubernetes: `>= 1.19.0-0`
 | auditLogging.maxAge | int | `28` | MaxAge is the maximum number of days to retain old log files based on the timestamp encoded in their filename. If set to 0, old log files are not removed based on age. |
 | auditLogging.maxBackups | int | `3` | MaxBackups is the maximum number of old log files to retain. If set to 0, all log files will be retained (unless MaxAge causes them to be deleted). |
 | auditLogging.maxSize | int | `500` | MaxSize is the maximum size in MB of a log file before it gets rotated. |
+| bgpPolicy.secretName | string | `"antrea-bgp-passwords"` | The name of the Secret storing the passwords of BGP peers. |
 | clientCAFile | string | `""` | File path of the certificate bundle for all the signers that is recognized for incoming client certificates. |
 | cni.hostBinPath | string | `"/opt/cni/bin"` | Installation path of CNI binaries on the host. |
 | cni.plugins | object | `{"bandwidth":true,"portmap":true}` | Chained plugins to use alongside antrea-cni. |

build/charts/antrea/conf/antrea-agent.conf

@@ -91,6 +91,9 @@ featureGates:
 # Enable NodeLatencyMonitor to monitor the latency between Nodes.
 {{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodeLatencyMonitor" "default" false) }}
 
+# Allow users to advertise Service IPs, Pod IPs, and Egress IPs to BGP peers.
+{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "BGPPolicy" "default" false) }}
+
 # Name of the OpenVSwitch bridge antrea-agent will create and use.
 # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
 ovsBridge: {{ .Values.ovs.bridgeName | quote }}
@@ -443,3 +446,8 @@ secondaryNetwork:
 {{- end }}
 
 {{- end }}
+
+bgpPolicy:
+  # The name of the Secret storing passwords of the BGP peers. For each BGP peer, the Secret key is generated by
+  # concatenating its IP address and AS number, e.g., `192.168.1.1-65521`.
+  secretName: {{ .Values.bgpPolicy.secretName | quote }}

build/charts/antrea/templates/agent/bgp-secret.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.bgpPolicy.secretName }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque

build/charts/antrea/templates/agent/clusterrole.yaml

@@ -177,6 +177,7 @@ rules:
   - apiGroups:
       - crd.antrea.io
     resources:
+      - bgppolicies
       - externalippools
       - ippools
       - trafficcontrols
@@ -234,3 +235,12 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - {{ .Values.bgpPolicy.secretName }}
+    verbs:
+      - get
+      - watch

build/charts/antrea/values.yaml

@@ -207,6 +207,10 @@ secondaryNetwork:
   # [{bridgeName: "br1", physicalInterfaces: ["eth1"]}]
   ovsBridges: []
 
+bgpPolicy:
+  # -- The name of the Secret storing the passwords of BGP peers.
+  secretName: "antrea-bgp-passwords"
+
 agent:
   # -- Port for the antrea-agent APIServer to serve on.
   apiPort: 10350

build/yamls/antrea-aks.yml

@@ -3684,6 +3684,14 @@ metadata:
   labels:
     app: antrea
 ---
+# Source: antrea/templates/agent/bgp-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: antrea-bgp-passwords
+  namespace: kube-system
+type: Opaque
+---
 # Source: antrea/templates/agent/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -3807,6 +3815,9 @@ data:
     # Enable NodeLatencyMonitor to monitor the latency between Nodes.
     #  NodeLatencyMonitor: false
 
+    # Allow users to advertise Service IPs, Pod IPs, and Egress IPs to BGP peers.
+    #  BGPPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -4115,6 +4126,11 @@ data:
       maxAge: 28
       # Compress enables gzip compression on rotated files.
       compress: true
+
+    bgpPolicy:
+      # The name of the Secret storing passwords of the BGP peers. For each BGP peer, the Secret key is generated by
+      # concatenating its IP address and AS number, e.g., `192.168.1.1-65521`.
+      secretName: "antrea-bgp-passwords"
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -4445,6 +4461,7 @@ rules:
   - apiGroups:
       - crd.antrea.io
     resources:
+      - bgppolicies
       - externalippools
       - ippools
       - trafficcontrols
@@ -4502,6 +4519,15 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - antrea-bgp-passwords
+    verbs:
+      - get
+      - watch
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -5110,7 +5136,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: f976029accf54258d01ad907fe19b50ac671eee014cd8aea968c6a0bc7e8f95a
+        checksum/config: 178df1e0c099cb87d001786b31a8a1e598bfc14e2d6eb974f46dc3bdfc5ef3dc
       labels:
         app: antrea
         component: antrea-agent
@@ -5348,7 +5374,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: f976029accf54258d01ad907fe19b50ac671eee014cd8aea968c6a0bc7e8f95a
+        checksum/config: 178df1e0c099cb87d001786b31a8a1e598bfc14e2d6eb974f46dc3bdfc5ef3dc
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-eks.yml

@@ -3684,6 +3684,14 @@ metadata:
   labels:
     app: antrea
 ---
+# Source: antrea/templates/agent/bgp-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: antrea-bgp-passwords
+  namespace: kube-system
+type: Opaque
+---
 # Source: antrea/templates/agent/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -3807,6 +3815,9 @@ data:
     # Enable NodeLatencyMonitor to monitor the latency between Nodes.
     #  NodeLatencyMonitor: false
 
+    # Allow users to advertise Service IPs, Pod IPs, and Egress IPs to BGP peers.
+    #  BGPPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -4115,6 +4126,11 @@ data:
       maxAge: 28
       # Compress enables gzip compression on rotated files.
       compress: true
+
+    bgpPolicy:
+      # The name of the Secret storing passwords of the BGP peers. For each BGP peer, the Secret key is generated by
+      # concatenating its IP address and AS number, e.g., `192.168.1.1-65521`.
+      secretName: "antrea-bgp-passwords"
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -4445,6 +4461,7 @@ rules:
   - apiGroups:
       - crd.antrea.io
     resources:
+      - bgppolicies
       - externalippools
       - ippools
       - trafficcontrols
@@ -4502,6 +4519,15 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - antrea-bgp-passwords
+    verbs:
+      - get
+      - watch
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -5110,7 +5136,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: f976029accf54258d01ad907fe19b50ac671eee014cd8aea968c6a0bc7e8f95a
+        checksum/config: 178df1e0c099cb87d001786b31a8a1e598bfc14e2d6eb974f46dc3bdfc5ef3dc
       labels:
         app: antrea
         component: antrea-agent
@@ -5349,7 +5375,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: f976029accf54258d01ad907fe19b50ac671eee014cd8aea968c6a0bc7e8f95a
+        checksum/config: 178df1e0c099cb87d001786b31a8a1e598bfc14e2d6eb974f46dc3bdfc5ef3dc
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-gke.yml

@@ -3684,6 +3684,14 @@ metadata:
   labels:
     app: antrea
 ---
+# Source: antrea/templates/agent/bgp-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: antrea-bgp-passwords
+  namespace: kube-system
+type: Opaque
+---
 # Source: antrea/templates/agent/secret.yaml
 apiVersion: v1
 kind: Secret
@@ -3807,6 +3815,9 @@ data:
     # Enable NodeLatencyMonitor to monitor the latency between Nodes.
     #  NodeLatencyMonitor: false
 
+    # Allow users to advertise Service IPs, Pod IPs, and Egress IPs to BGP peers.
+    #  BGPPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -4115,6 +4126,11 @@ data:
       maxAge: 28
       # Compress enables gzip compression on rotated files.
       compress: true
+
+    bgpPolicy:
+      # The name of the Secret storing passwords of the BGP peers. For each BGP peer, the Secret key is generated by
+      # concatenating its IP address and AS number, e.g., `192.168.1.1-65521`.
+      secretName: "antrea-bgp-passwords"
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -4445,6 +4461,7 @@ rules:
   - apiGroups:
       - crd.antrea.io
     resources:
+      - bgppolicies
       - externalippools
       - ippools
       - trafficcontrols
@@ -4502,6 +4519,15 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - antrea-bgp-passwords
+    verbs:
+      - get
+      - watch
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -5110,7 +5136,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 5299e6235e262daf606758cf900766470fcb8dd21a0d707a3ae284548bd8c2b2
+        checksum/config: 2b80cc90ebecf3ab2716df9ee529aa0388283256c85d37b440d397b8a3d5c984
       labels:
         app: antrea
         component: antrea-agent
@@ -5346,7 +5372,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: 5299e6235e262daf606758cf900766470fcb8dd21a0d707a3ae284548bd8c2b2
+        checksum/config: 2b80cc90ebecf3ab2716df9ee529aa0388283256c85d37b440d397b8a3d5c984
       labels:
         app: antrea
         component: antrea-controller

build/yamls/antrea-ipsec.yml

@@ -3684,6 +3684,14 @@ metadata:
   labels:
     app: antrea
 ---
+# Source: antrea/templates/agent/bgp-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: antrea-bgp-passwords
+  namespace: kube-system
+type: Opaque
+---
 # Source: antrea/templates/agent/ipsec-secret.yaml
 apiVersion: v1
 kind: Secret
@@ -3820,6 +3828,9 @@ data:
     # Enable NodeLatencyMonitor to monitor the latency between Nodes.
     #  NodeLatencyMonitor: false
 
+    # Allow users to advertise Service IPs, Pod IPs, and Egress IPs to BGP peers.
+    #  BGPPolicy: false
+
     # Name of the OpenVSwitch bridge antrea-agent will create and use.
     # Make sure it doesn't conflict with your existing OpenVSwitch bridges.
     ovsBridge: "br-int"
@@ -4128,6 +4139,11 @@ data:
       maxAge: 28
       # Compress enables gzip compression on rotated files.
       compress: true
+
+    bgpPolicy:
+      # The name of the Secret storing passwords of the BGP peers. For each BGP peer, the Secret key is generated by
+      # concatenating its IP address and AS number, e.g., `192.168.1.1-65521`.
+      secretName: "antrea-bgp-passwords"
   antrea-cni.conflist: |
     {
         "cniVersion":"0.3.0",
@@ -4458,6 +4474,7 @@ rules:
   - apiGroups:
       - crd.antrea.io
     resources:
+      - bgppolicies
       - externalippools
       - ippools
       - trafficcontrols
@@ -4515,6 +4532,15 @@ rules:
       - create
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - antrea-bgp-passwords
+    verbs:
+      - get
+      - watch
 ---
 # Source: antrea/templates/antctl/clusterrole.yaml
 kind: ClusterRole
@@ -5123,7 +5149,7 @@ spec:
         kubectl.kubernetes.io/default-container: antrea-agent
         # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ba93df141f512a1f8483114b5994444c7231b298e7e9133483ddc1f4210ec395
+        checksum/config: 940dc5c50998e1328e6a4188b3e5125f1005a420f5fec24bdce7d66d43739eb7
         checksum/ipsec-secret: d0eb9c52d0cd4311b6d252a951126bf9bea27ec05590bed8a394f0f792dcb2a4
       labels:
         app: antrea
@@ -5405,7 +5431,7 @@ spec:
       annotations:
         # Automatically restart Pod if the ConfigMap changes
         # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
-        checksum/config: ba93df141f512a1f8483114b5994444c7231b298e7e9133483ddc1f4210ec395
+        checksum/config: 940dc5c50998e1328e6a4188b3e5125f1005a420f5fec24bdce7d66d43739eb7
       labels:
         app: antrea
         component: antrea-controller