Refactor antctl framework #356
Conversation
|
Thanks for your PR. The following commands are available:
These commands can only be run by members of the vmware-tanzu organization. |
weiqiangt
force-pushed
the
antctl-refactor
branch
from
4aa3219 to
eab31bd
Compare
weiqiangt
force-pushed
the
antctl-refactor
branch
2 times, most recently
from
dfac9a6 to
fed76f5
Compare
weiqiangt
force-pushed
the
antctl-refactor
branch
2 times, most recently
from
8a48f6d to
b626119
Compare
|
@weiqiangt would you mind moving the openapi stuff to a separate PR (along with the license template change) - and reference #323 in that new PR Removing the autogenerated code from your anctl refactor PR will make it easier to review |
Sure, I will separate this CL. |
weiqiangt
force-pushed
the
antctl-refactor
branch
2 times, most recently
from
e4f7392 to
bd0e17b
Compare
|
Please push your patch again to refresh jenkins jobs' status. |
weiqiangt
force-pushed
the
antctl-refactor
branch
from
bd0e17b to
248898e
Compare
There was a problem hiding this comment.
@weiqiangt: thanks for working on this. I guess there can be some misunderstanding in our discussion - what I suggested is that even for Agent, we should move the API server code out of antctl, as even Agent API can be consumed by other clients besides antctl, and one specific example is the Controller, if we want to query Agent info or send ops requests to Agent from a single entity - that is Antrea Controller (it might also mean later we might need to expose Agent API through the Node IP).
Another one - even for Controller, could we also expose some API through UDS, like controller-info, version, etc., so that even when K8s API is down, we can at least do some basic debugging using local CLI. I do not think this is critical though.
weiqiangt
force-pushed
the
antctl-refactor
branch
7 times, most recently
from
7469dc6 to
cb86a58
Compare
pkg/version/version.go
Outdated
| func GetMajorVersion() string { | ||
| v, err := semver.Parse(Version[1:]) | ||
| if err != nil { | ||
| println(err) |
There was a problem hiding this comment.
why not using log but output directly?
There was a problem hiding this comment.
Since the Version is basically a constant, I think we could just ignore the error. Let me remove this error handling.
There was a problem hiding this comment.
I removed GetMajorVersion and GetMinorVersion and made the GetVersion to return a semantic version object.
pkg/version/version.go
Outdated
| println(err) | ||
| return "0" | ||
| } | ||
| return fmt.Sprintf("%d.%d", v.Minor, v.Patch) |
There was a problem hiding this comment.
Why merge minor and patch to minor? I think k8sversion.Info's intention is major for major, minor for minor, gitversion for full version (the Version in this file):
version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", GitCommit:"b3cbbae08ec52a7fc73d334838e18d17e8512749", GitTreeState:"clean", BuildDate:"2019-11-13T11:13:49Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}
There was a problem hiding this comment.
I didn't know the git version is used as full version, I would update it.
weiqiangt
force-pushed
the
antctl-refactor
branch
from
97aa7ad to
bd242f7
Compare
|
/test-all |
|
I think you need to update the PR description now. @jianjuns the PR looks good to me now, could you give another review? |
weiqiangt
force-pushed
the
antctl-refactor
branch
from
bd242f7 to
d372db0
Compare
|
/test-all |
| // Set the PairName but leave certificate directory blank to generate in-memory by default. | ||
| secureServing.ServerCert.CertDirectory = "" | ||
| secureServing.ServerCert.PairName = Name | ||
| ln, err := net.Listen("tcp", fmt.Sprintf("127.0.0.1:%d", Port)) |
There was a problem hiding this comment.
I thought I added a comment here before but I could not find it any more. Anyway, have a question here: could we still enable unix domain socket for local CLI? I remember we discussed before security concerns on localhost TCP port without auth. Ideally we should enable the API server on both UDS and later host IP (for remote CLI, and potentially other consumers like Controller, support bundle collection, etc.).
@tnqn
There was a problem hiding this comment.
Is 127.0.0.1 same as UDS from security perspective? Do you mean anonymous user can get into the container and access the loopback address?
There was a problem hiding this comment.
Yeah, the server which leverages built-in server used uds, but it looks like the APIServer is not able to set up an UDS listener (it looks up port for some reasons).
There was a problem hiding this comment.
Yes, one issue is about no way to restrict what local users/processes can access the API endpoint.
If no good way, we can merge the current implementation for now. But let us explore the possibility of enable UDS.
|
/test-all |
|
/test-e2e |
LGTM overall. Sorry, I did not get time to do a detailed review. I will try to read the code more, but do not wait for me to merge the PR. |
|
/test-e2e |
weiqiangt
force-pushed
the
antctl-refactor
branch
from
d372db0 to
5dc1fdc
Compare
|
/test-all |
weiqiangt
force-pushed
the
antctl-refactor
branch
2 times, most recently
from
cbf0c79 to
cc35c53
Compare
|
/test-e2e |
- Set up an API server on antrea agent - The antctl client is consuming the API server in antrea agent instead of using the specific antctl server - Added API `/rule`, `/appliedtogroup`, `/addressgroup`, `/agentinfo` and `version` APIs to the agent API server - Add `get network-policy`, `get address-group` and `get applied-to-group` commands for controller - Add `get rule`, `get address-group` and `get applied-to-group` commands for agent - Make version file to honor semantic version Signed-off-by: Weiqiang TANG <weiqiangt@vmware.com>
weiqiangt
force-pushed
the
antctl-refactor
branch
from
cc35c53 to
13e40c4
Compare
|
/test-e2e |
|
/test-e2e |
1 similar comment
|
/test-e2e |
|
/test-all |
1 similar comment
|
/test-all |
instead of using the specific antctl server
/networkpolicies,/appliedtogroups,/addressgroups,/agentinfoand/versionAPIs to the agent API serverget network-policy,get address-groupandget applied-to-groupcommands for both controller and agent
GetVersioninversion.goreturning a semantic version object.By applying network policy:
Antrea agent:
antctl get rule -oyamlantctl get applied-to-group -oyamlantctl get address-group -oyamlAntrea controller:
antctl get network-policy -oyamlantctl get applied-to-group -oyamlantctl get address-group -oyamlResolves #239.