Azure · vakalapa · Mar 2, 2023 · Jan 10, 2023 · Jan 10, 2023 · Jan 11, 2023
@@ -18,8 +18,6 @@ import (
 	"github.com/Microsoft/hcsshim/hcn"
 )
 
-const networkName = "azure"
-
 var errorFakeHNS = errors.New("errorFakeHNS Error")
 
 func newErrorFakeHNS(errStr string) error {
@@ -185,7 +183,9 @@ func (f Hnsv2wrapperFake) GetNetworkByName(networkName string) (*hcn.HostCompute
 	if network, ok := f.Cache.networks[networkName]; ok {
 		return network.GetHCNObj(), nil
 	}
-	return nil, hcn.NetworkNotFoundError{}
+	return nil, hcn.NetworkNotFoundError{
+		NetworkName: networkName,
+	}
 }
 
 func (f Hnsv2wrapperFake) GetNetworkByID(networkID string) (*hcn.HostComputeNetwork, error) {
@@ -528,4 +528,5 @@ type FakeEndpointPolicy struct {
 	LocalPorts      string            `json:",omitempty"`
 	RemotePorts     string            `json:",omitempty"`
 	Priority        int               `json:",omitempty"`
+	// FIXME should include RuleType too, but that will require updating every instance of this struct in UTs
 }
@@ -32,8 +32,7 @@ import (
 
 var npmV2DataplaneCfg = &dataplane.Config{
 	IPSetManagerCfg: &ipsets.IPSetManagerCfg{
-		NetworkName: "azure", // FIXME  should be specified in DP config instead
-		// NOTE: IPSetMode must be set later by the npm ConfigMap or default config
+		// NOTE: NetworkName and IPSetMode must be set later by the npm ConfigMap or default config
 	},
 	PolicyManagerCfg: &policies.PolicyManagerCfg{
 		PolicyMode: policies.IPSetPolicyMode,
@@ -124,6 +123,12 @@ func start(config npmconfig.Config, flags npmconfig.Flags) error {
 	stopChannel := wait.NeverStop
 	if config.Toggles.EnableV2NPM {
 		// update the dataplane config
+		if config.WindowsNetworkName == "" {
+			npmV2DataplaneCfg.NetworkName = util.AzureNetworkName
+		} else {
+			npmV2DataplaneCfg.NetworkName = config.WindowsNetworkName
+		}
+
 		npmV2DataplaneCfg.PlaceAzureChainFirst = config.Toggles.PlaceAzureChainFirst
 		if config.Toggles.ApplyIPSetsOnNeed {
 			npmV2DataplaneCfg.IPSetMode = ipsets.ApplyOnNeed

@@ -16,6 +16,7 @@ const (
 
 // DefaultConfig is the guaranteed configuration NPM can run in out of the box
 var DefaultConfig = Config{
+	WindowsNetworkName:    util.AzureNetworkName,
 	ResyncPeriodInMinutes: defaultResyncPeriod,
 
 	ListeningPort:    defaultListeningPort,
@@ -47,14 +48,14 @@ type GrpcServerConfig struct {
 }
 
 type Config struct {
-	ResyncPeriodInMinutes int `json:"ResyncPeriodInMinutes,omitempty"`
-
-	ListeningPort    int    `json:"ListeningPort,omitempty"`
-	ListeningAddress string `json:"ListeningAddress,omitempty"`
-
-	Transport GrpcServerConfig `json:"Transport,omitempty"`
-
-	Toggles Toggles `json:"Toggles,omitempty"`
+	// WindowsNetworkName can be either 'azure' or 'Calico' (case sensitive).
+	// It can also be the empty string, which results in the default value of 'azure'.
+	WindowsNetworkName    string           `json:"WindowsNetworkName,omitempty"`
+	ResyncPeriodInMinutes int              `json:"ResyncPeriodInMinutes,omitempty"`
+	ListeningPort         int              `json:"ListeningPort,omitempty"`
+	ListeningAddress      string           `json:"ListeningAddress,omitempty"`
+	Transport             GrpcServerConfig `json:"Transport,omitempty"`
+	Toggles               Toggles          `json:"Toggles,omitempty"`
 }
 
 type Toggles struct {

@@ -0,0 +1,162 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: azure-npm
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: azure-npm
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - nodes
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: azure-npm-binding
+  namespace: kube-system
+  labels:
+    addonmanager.kubernetes.io/mode: EnsureExists
+subjects:
+  - kind: ServiceAccount
+    name: azure-npm
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: azure-npm
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: azure-npm-win
+  namespace: kube-system
+  labels:
+    app: azure-npm
+    addonmanager.kubernetes.io/mode: EnsureExists
+spec:
+  selector:
+    matchLabels:
+      k8s-app: azure-npm
+  template:
+    metadata:
+      labels:
+        k8s-app: azure-npm
+      annotations:
+        azure.npm/scrapeable: ""
+    spec:
+      priorityClassName: system-node-critical
+      tolerations:
+        - operator: "Exists"
+          effect: NoExecute
+        - operator: "Exists"
+          effect: NoSchedule
+        - key: CriticalAddonsOnly
+          operator: Exists
+      securityContext:
+        windowsOptions:
+          hostProcess: true
+          runAsUserName: "NT AUTHORITY\\SYSTEM"
+      hostNetwork: true
+      containers:
+        - name: azure-npm
+          # setting to future version since it will use the updated Dockerfile
+          image: mcr.microsoft.com/containernetworking/azure-npm:v1.4.42
+          command: ["powershell.exe"]
+          args:
+            [
+              '.\setkubeconfigpath-capz.ps1',
+              ";",
+              "powershell.exe",
+              '.\npm.exe',
+              "start",
+              '--kubeconfig=.\kubeconfig',
+            ]
+          resources:
+            limits:
+              cpu: 250m
+              memory: 300Mi
+            requests:
+              cpu: 250m
+          env:
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: NPM_CONFIG
+              value: .\\etc\\azure-npm\\azure-npm.json
+          volumeMounts:
+            - name: azure-npm-config
+              mountPath: .\\etc\\azure-npm
+      nodeSelector:
+        kubernetes.io/os: windows
+      volumes:
+        - name: azure-npm-config
+          configMap:
+            name: azure-npm-config
+      serviceAccountName: azure-npm
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: npm-metrics-cluster-service
+  namespace: kube-system
+  labels:
+    app: npm-metrics
+spec:
+  selector:
+    k8s-app: azure-npm
+  ports:
+    - port: 9000
+      targetPort: 10091
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: azure-npm-config
+  namespace: kube-system
+data:
+  azure-npm.json: |
+    {
+        "WindowsNetworkName": "Calico",
+        "ResyncPeriodInMinutes": 15,
+        "ListeningPort":         10091,
+        "ListeningAddress":      "0.0.0.0",
+        "Toggles": {
+            "EnablePrometheusMetrics": true,
+            "EnablePprof":             true,
+            "EnableHTTPDebugAPI":      true,
+            "EnableV2NPM":             true,
+            "PlaceAzureChainFirst":    true,
+            "ApplyIPSetsOnNeed":       false
+        },
+        "Transport": {
+          "Address": "azure-npm.kube-system.svc.cluster.local",
+          "Port": 10092,
+          "ServicePort": 9001
+        }
+    }
@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: long-runner
+  namespace: npm-e2e-longrunner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: long-runner
+  template:
+    metadata:
+      labels:
+        app: long-runner
+    spec:
+      containers:
+      - command:
+        - /agnhost
+        - serve-hostname
+        - --tcp
+        - --http=false
+        - --port
+        - "80"
+        image: k8s.gcr.io/e2e-test-images/agnhost:2.33
+        imagePullPolicy: IfNotPresent
+        name: cont-80-tcp
+        ports:
+        - containerPort: 80
+          name: serve-80-tcp
+          protocol: TCP
@@ -0,0 +1,11 @@
+# pull the server value from the kubeconfig on host to construct our own kubeconfig, but using service principal settings
+# this is required to build a kubeconfig using the kubeconfig on disk in c:\etc\kubernetes, and the service principle granted in the container mount, to generate clientset
+$cpEndpoint = Get-Content C:\etc\kubernetes\kubelet.conf | ForEach-Object -Process {if($_.Contains("server:")) {$_.Trim().Split()[1]}}
+$token = Get-Content -Path $env:CONTAINER_SANDBOX_MOUNT_POINT\var\run\secrets\kubernetes.io\serviceaccount\token
+$ca = Get-Content -Raw -Path $env:CONTAINER_SANDBOX_MOUNT_POINT\var\run\secrets\kubernetes.io\serviceaccount\ca.crt
+$caBase64 = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($ca))
+$server = "server: $cpEndpoint"
+(Get-Content $env:CONTAINER_SANDBOX_MOUNT_POINT\kubeconfigtemplate.yaml).
+    replace("<ca>", $caBase64).
+    replace("<server>", $server.Trim()).
+    replace("<token>", $token) | Set-Content $env:CONTAINER_SANDBOX_MOUNT_POINT\kubeconfig -Force