From fdd37f032e5edb41bcd03b65227a1cdae27f3833 Mon Sep 17 00:00:00 2001
From: Antonin Bas <antonin.bas@broadcom.com>
Date: Thu, 18 Apr 2024 18:14:06 -0700
Subject: [PATCH] Remove incorrect AntreaProxy warning on Windows

The code was logging an incorrect warning about AntreaProxy being
disabled. This is is because checkUnsupportedFeatures was in charge of
the check, but o.enableAntreaProxy is set later in the validation
chain. To avoid the issue, we introduce a new function for
platform-specific checks, validateConfigForPlatform, which runs after
all other validations and after all fields in the Options struct have
been set.

We also replace the warning message with an error message (but we do not
fail Agent initialization) and we add a check for proxyAll.

Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
---
 cmd/antrea-agent/options.go         |  6 ++++++
 cmd/antrea-agent/options_linux.go   |  5 +++++
 cmd/antrea-agent/options_windows.go | 18 +++++++++++++++++-
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/cmd/antrea-agent/options.go b/cmd/antrea-agent/options.go
index 133240c70a5..7e1ec94de2b 100644
--- a/cmd/antrea-agent/options.go
+++ b/cmd/antrea-agent/options.go
@@ -604,6 +604,12 @@ func (o *Options) validateK8sNodeOptions() error {
 		return fmt.Errorf("failed to validate secondary network config: %v", err)
 	}
 
+	// Unlike checkUnsupportedFeatures, validateConfigForPlatform runs after all validations and
+	// after all fields in the Options struct have been initialized (e.g., enableProxy).
+	if err := o.validateConfigForPlatform(); err != nil {
+		return err
+	}
+
 	return nil
 }
 
diff --git a/cmd/antrea-agent/options_linux.go b/cmd/antrea-agent/options_linux.go
index ec117056a59..9f1856b13f8 100644
--- a/cmd/antrea-agent/options_linux.go
+++ b/cmd/antrea-agent/options_linux.go
@@ -25,3 +25,8 @@ func (o *Options) checkUnsupportedFeatures() error {
 	// All features are supported on a Linux Node.
 	return nil
 }
+
+func (o *Options) validateConfigForPlatform() error {
+	// No additional validations for Linux Nodes.
+	return nil
+}
diff --git a/cmd/antrea-agent/options_windows.go b/cmd/antrea-agent/options_windows.go
index 2238c764021..92075d4fac4 100644
--- a/cmd/antrea-agent/options_windows.go
+++ b/cmd/antrea-agent/options_windows.go
@@ -64,8 +64,24 @@ func (o *Options) checkUnsupportedFeatures() error {
 		return fmt.Errorf("unsupported features on Windows: {%s}", strings.Join(unsupported, ", "))
 	}
 
+	return nil
+}
+
+func (o *Options) validateConfigForPlatform() error {
+	// AntreaProxy with proxyAll is required on Windows.
+	// The userspace kube-proxy mode (only mode compatible with the Antrea Agent on Windows) was
+	// removed in K8s v1.26, hence the requirement for proxyAll.
+	// Even prior to that, AntreaProxy was required for correct NetworkPolicy enforcement for
+	// Service traffic.
+	// While we do not fail initialization at the moment, there should be no valid use case for
+	// Antrea on Windows without AntreaProxy + proxyAll.
 	if !o.enableAntreaProxy {
-		klog.Warning("AntreaProxy is not enabled. NetworkPolicies might not be enforced correctly for Service traffic!")
+		klog.ErrorS(nil, "AntreaProxy is disabled, Service traffic is unlikely to work as expected")
+		return nil
+	}
+	if !o.config.AntreaProxy.ProxyAll {
+		klog.ErrorS(nil, "AntreaProxy proxyAll is disabled, Service traffic is unlikely to work as expected")
+		return nil
 	}
 	return nil
 }