test: add test cases for monitor mode

.github/workflows/ci.yaml

@@ -2,7 +2,8 @@ name: ci
 
 on:
   pull_request:
-    branches: [ main, release-1.0 ]
+    branches:
+      - '**'
 
   push:
     branches: [ main, release-1.0 ]
@@ -32,7 +33,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.45
+          version: v1.48.0
           only-new-issues: true
           # skip cache because of flaky behaviors
           skip-build-cache: true
@@ -44,7 +45,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: install e2e environment dependency
-        run: sudo sh -c "apt update && apt install -y openvswitch-switch && systemctl start openvswitch-switch"
+        run: sudo sh -c "apt update && apt install -y openvswitch-switch=2.13.* conntrack && systemctl start openvswitch-switch"
 
       - name: allow ssh connect to localhost
         run: sudo -H sh -c "ssh-keygen -qN '' </dev/zero; cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys"
@@ -61,7 +62,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: clean old eveorute
-        run: sudo skaffold run -d=harbor.smartx.com/everoute -f skaffold-clean.yaml
+        run: sudo skaffold run -d=registry.smtx.io/everoute -f skaffold-clean.yaml
 
       - name: wait clean process ready
         run: kubectl wait po -n kube-system --for=condition=Ready=True -l app=everoute -l component=everoute-clean --timeout=3m
@@ -75,7 +76,7 @@ jobs:
         run: kubectl delete -f hack/clean.yaml
 
       - name: build everoute and deploy
-        run: sudo skaffold run -d=harbor.smartx.com/everoute
+        run: sudo skaffold run -d=registry.smtx.io/everoute
 
       - name: wait everoute ready
         run: bash hack/check_ready.sh
@@ -87,7 +88,7 @@ jobs:
           path: "./kubernetes"
 
       - name: apply e2e patch
-        run: cd kubernetes && git apply ../hack/0001-test-e2e-add-sleep-before-cannot-conntect-test.patch
+        run: cd kubernetes && git apply ../hack/0001-test-e2e-add-sleep-before-cannot-conntect-test.patch ../hack/0001-test-e2e-reduce-test-log.patch
 
       - name: build e2e
         run: cd kubernetes && make all WHAT=test/e2e/e2e.test && make all WHAT=vendor/github.com/onsi/ginkgo/ginkgo

Makefile

@@ -80,6 +80,7 @@ gqlgen:
 
 protopb:
 	protoc -I=. --go_out=plugins=grpc:.  pkg/apis/cni/v1alpha1/cni.proto
+	protoc -I=. --go_out=plugins=grpc:.  pkg/apis/rpc/v1alpha1/collector.proto
 
 apidocs-gen:
 	$(eval PATH := $$(PATH):$(shell go env GOPATH)/bin)

build/images/release/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.15 as builder
+FROM golang:1.16 as builder
 
 # Download deps
 RUN mkdir -p $GOPATH/src/everoute
@@ -27,7 +27,8 @@ RUN chmod 755 /opt/everoute/bin/*
 FROM ubuntu:20.04
 
 #RUN apk update && apk add openvswitch
-RUN apt update && apt install -y openvswitch-switch=2.13.* iptables iproute2 tcpdump && rm -rf /var/lib/apt/lists/*
+RUN apt update && apt install -y openvswitch-switch=2.13.* iptables \
+    conntrack iproute2 tcpdump && rm -rf /var/lib/apt/lists/*
 
 # Automatically detect iptables mode (legacy or nf_tables) from baseOS
 RUN ln -s -f /opt/everoute/bin/iptables-wrapper /etc/alternatives/iptables

cmd/everoute-agent/main.go

@@ -33,6 +33,7 @@ import (
 	"github.com/everoute/everoute/pkg/agent/controller/policy"
 	"github.com/everoute/everoute/pkg/agent/datapath"
 	"github.com/everoute/everoute/pkg/agent/proxy"
+	"github.com/everoute/everoute/pkg/agent/rpcserver"
 	clientsetscheme "github.com/everoute/everoute/pkg/client/clientset_generated/clientset/scheme"
 	"github.com/everoute/everoute/pkg/constants"
 	"github.com/everoute/everoute/pkg/monitor"
@@ -132,6 +133,9 @@ func main() {
 	agentmonitor := monitor.NewAgentMonitor(k8sClient, ovsdbMonitor, ofPortIPAddrMoniotorChan)
 	go agentmonitor.Run(stopChan)
 
+	rpcServer := rpcserver.Initialize(datapathManager)
+	go rpcServer.Run(stopChan)
+
 	<-stopChan
 }
 

deploy/crds/security.everoute.io_globalpolicies.yaml

@@ -49,10 +49,9 @@ spec:
                 - Drop
                 type: string
               globalPolicyEnforcementMode:
+                default: work
                 description: GlobalPolicy enforcement mode
                 type: string
-            required:
-            - globalPolicyEnforcementMode
             type: object
         type: object
     served: true

deploy/crds/security.everoute.io_securitypolicies.yaml

@@ -911,6 +911,7 @@ spec:
                   type: string
                 type: array
               securityPolicyEnforcementMode:
+                default: work
                 description: 'Work mode specify the policy enforcement state: monitor
                   or work'
                 type: string

deploy/everoute-agent/agent.yaml

@@ -56,7 +56,7 @@ spec:
       serviceAccountName: everoute-agent
       containers:
         - name: init-agent
-          command: [ "init_agent" ]
+          command: ["init_agent"]
           image: everoute/release
           imagePullPolicy: IfNotPresent
           lifecycle:
@@ -70,8 +70,6 @@ spec:
               mountPath: /var/lib/everoute/
             - name: cni-bin
               mountPath: /opt/cni/bin/
-            - name: everoute-run
-              mountPath: /var/run/everoute/
             - name: cni-conf
               mountPath: /etc/cni/net.d
             - name: everoute-config
@@ -121,8 +119,6 @@ spec:
           volumeMounts:
             - name: everoute-agent
               mountPath: /var/lib/everoute/
-            - name: everoute-run
-              mountPath: /var/run/everoute/
             - name: everoute-config
               mountPath: /var/lib/everoute/agentconfig.yaml
               subPath: agentconfig.yaml
@@ -165,9 +161,6 @@ spec:
         - hostPath:
             path: /opt/cni/bin/
           name: cni-bin
-        - name: everoute-run
-          hostPath:
-            path: /var/run/everoute
         - hostPath:
             path: /etc/cni/net.d
           name: cni-conf

deploy/everoute-agent/role.yaml

@@ -44,7 +44,6 @@ rules:
   resources:
     - securitypolicies
     - globalpolicies
-    - policyenforcementmodes
   verbs:
     - get
     - list

deploy/everoute-controller/role.yaml

@@ -78,7 +78,6 @@ rules:
   - endpoints
   - endpoints/status
   - globalpolicies
-  - policyenforcementmodes
   verbs:
   - patch
   - create

deploy/everoute.yaml

@@ -720,10 +720,9 @@ spec:
                 - Drop
                 type: string
               globalPolicyEnforcementMode:
+                default: work
                 description: GlobalPolicy enforcement mode
                 type: string
-            required:
-            - globalPolicyEnforcementMode
             type: object
         type: object
     served: true
@@ -736,57 +735,6 @@ status:
   conditions: []
   storedVersions: []
 
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.6.2
-  creationTimestamp: null
-  name: policyenforcementmodes.security.everoute.io
-spec:
-  group: security.everoute.io
-  names:
-    kind: PolicyEnforcementMode
-    listKind: PolicyEnforcementModeList
-    plural: policyenforcementmodes
-    singular: policyenforcementmode
-  scope: Cluster
-  versions:
-  - name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Specification of the desired behavior for this SecurityPolicy.
-            properties:
-              defaultEnforcementMode:
-                type: string
-              enforcementMode:
-                type: string
-            type: object
-        type: object
-    served: true
-    storage: true
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
@@ -1699,6 +1647,7 @@ spec:
                   type: string
                 type: array
               securityPolicyEnforcementMode:
+                default: work
                 description: 'Work mode specify the policy enforcement state: monitor
                   or work'
                 type: string
@@ -1784,7 +1733,7 @@ spec:
       serviceAccountName: everoute-agent
       containers:
         - name: init-agent
-          command: [ "init_agent" ]
+          command: ["init_agent"]
           image: everoute/release
           imagePullPolicy: IfNotPresent
           lifecycle:
@@ -1798,8 +1747,6 @@ spec:
               mountPath: /var/lib/everoute/
             - name: cni-bin
               mountPath: /opt/cni/bin/
-            - name: everoute-run
-              mountPath: /var/run/everoute/
             - name: cni-conf
               mountPath: /etc/cni/net.d
             - name: everoute-config
@@ -1849,8 +1796,6 @@ spec:
           volumeMounts:
             - name: everoute-agent
               mountPath: /var/lib/everoute/
-            - name: everoute-run
-              mountPath: /var/run/everoute/
             - name: everoute-config
               mountPath: /var/lib/everoute/agentconfig.yaml
               subPath: agentconfig.yaml
@@ -1893,9 +1838,6 @@ spec:
         - hostPath:
             path: /opt/cni/bin/
           name: cni-bin
-        - name: everoute-run
-          hostPath:
-            path: /var/run/everoute
         - hostPath:
             path: /etc/cni/net.d
           name: cni-conf
@@ -1958,7 +1900,6 @@ rules:
   resources:
     - securitypolicies
     - globalpolicies
-    - policyenforcementmodes
   verbs:
     - get
     - list
@@ -2118,7 +2059,6 @@ rules:
   - endpoints
   - endpoints/status
   - globalpolicies
-  - policyenforcementmodes
   verbs:
   - patch
   - create