Add documentation for antctl proxy

antrea-io · Oct 29, 2020 · 023ea20 · 023ea20
1 parent b177cd3
commit 023ea20
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 1 deletion.
diff --git a/docs/antctl.md b/docs/antctl.md
@@ -24,6 +24,7 @@ running in two different modes:
   - [Dumping OVS flows](#dumping-ovs-flows)
   - [OVS packet tracing](#ovs-packet-tracing)
   - [Traceflow](#traceflow)
+  - [Antctl Proxy](#antctl-proxy)
 <!-- /toc -->
 
 ## Installation
@@ -367,7 +368,8 @@ be added to start the traceflow without waiting for result. Then, the deletion o
 will not be conducted. Besides, users can specify header protocol (ICMP, TCP and UDP),
 source/destination ports and TCP flags.
 
-e.g.
+For example:
+
 ```bash
 $ antctl traceflow -S busybox0 -D busybox1
 name: default-busybox0-to-default-busybox1-fpllngzi
@@ -384,3 +386,32 @@ results:
     componentInfo: Output
     action: Delivered
 ```
+
+### Antctl Proxy
+
+Antctl can run as a reverse proxy for the Antrea API (Controller or arbitrary
+Agent). Usage is very similar to `kubectl proxy` and the implementation is
+essentially the same. One thing to keep in mind is that the TLS connection
+between the proxy and the Antrea Agent or Controller will not be secure (no
+certificate verification), and the proxy should be used for debugging only.
+
+To run a reverse proxy for the Antrea Controller API, use:
+
+```bash
+$ antctl proxy --controller
+````
+
+To run a reverse proxy for the Antrea Agent API for the antrea-agent Pod running
+on Node <TARGET_NODE>, use:
+
+```bash
+$ antctl proxy --agent-node
+```
+
+You can then access the API at `127.0.0.1:8001`. To see the full list of
+supported options, run `antctl proxy --help`.
+
+This feature is useful if one wants to use the Go
+[pprof](https://golang.org/pkg/net/http/pprof/) tool to collect runtime
+profiling data about the Antrea components. Please refer to this
+[document](troubleshooting.md#profiling-antrea-components) for more information.
diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md
@@ -7,12 +7,15 @@
 - [Accessing the antrea-controller API](#accessing-the-antrea-controller-api)
   - [Using antctl](#using-antctl)
   - [Using kubectl proxy](#using-kubectl-proxy)
+  - [Using antctl proxy](#using-antctl-proxy)
   - [Directly accessing the antrea-controller API](#directly-accessing-the-antrea-controller-api)
 - [Accessing the antrea-agent API](#accessing-the-antrea-agent-api)
   - [Using antctl](#using-antctl-1)
+  - [Using antctl proxy](#using-antctl-proxy-1)
   - [Directly accessing the antrea-agent API](#directly-accessing-the-antrea-agent-api)
 - [Troubleshooting Open vSwitch](#troubleshooting-open-vswitch)
 - [Troubleshooting with antctl](#troubleshooting-with-antctl)
+- [Profiling Antrea components](#profiling-antrea-components)
 <!-- /toc -->
 
 ## Looking at the Antrea logs
@@ -101,6 +104,14 @@ kubectl proxy &
 curl 127.0.0.1:8001/apis/controlplane.antrea.tanzu.vmware.com
 ```
 
+### Using antctl proxy
+
+Antctl supports running a reverse proxy (similar to the kubectl one) which
+enables access to the entire Antrea Controller API (not just aggregated API
+Services), but does not secure the TLS connection between the proxy and the
+Controller. Refer to the [antctl documentation](antctl.md#antctl-proxy) for more
+information.
+
 ### Directly accessing the antrea-controller API
 
 If you want to directly access the antrea-controller API, you need to get its
@@ -136,6 +147,13 @@ kubectl exec -it <antrea-agent Pod name> -n kube-system -c antrea-agent bash
 antctl get networkpolicy
 ```
 
+### Using antctl proxy
+
+Antctl supports running a reverse proxy (similar to the kubectl one) which
+enables access to the entire Antrea Agent API, but does not secure the TLS
+connection between the proxy and the Controller. Refer to the [antctl
+documentation](antctl.md#antctl-proxy) for more information.
+
 ### Directly accessing the antrea-agent API
 
 If you want to directly access the antrea-agent API, you need to log into the
@@ -221,3 +239,22 @@ Agent, which can print the runtime information of `antrea-controller` and
 information on a Node, dump Antrea OVS flows, and perform OVS packet tracing.
 Refer to the [`antctl` guide](/docs/antctl.md#usage) to learn how to use these
 commands.
+
+## Profiling Antrea components
+
+The easiest way to profile the Antrea components is to use the Go
+[pprof](https://golang.org/pkg/net/http/pprof/) tool. Both the Antrea Agent and
+the Antrea Controller use the k8s apiserver library to server their API, and
+this library enables the pprof HTTP server by default. In order to access it
+without having to worry about authentication, you can use the antctl proxy
+function.
+
+For example, this is what you would do to look at a 30-second CPU profile for
+the Antrea Controller:
+
+```bash
+# Start the proxy in the background
+antctl proxy --controller&
+# Look at a 30-second CPU profile
+go tool pprof http://127.0.0.1:8001/debug/pprof/profile?seconds=30
+```