antctl support traceflow

Fixed antrea-io#923
e.g.
```
$ antctl traceflow -S busybox0 -D busybox1
name: default-busybox0-to-default-busybox1
phase: Succeeded
source: default/busybox0
destination: default/busybox1
noderesults:
- node: antrea-linux-testbed7-2
  role: ""
  timestamp: 1595391265
  observations:
  - component: SpoofGuard
    componentinfo: ""
    action: Forwarded
    pod: ""
    dstmac: ""
    networkpolicy: ""
    ttl: 0
    translatedsrcip: ""
    translateddstip: ""
    tunneldstip: ""
  - component: Forwarding
    componentinfo: Output
    action: Delivered
    pod: ""
    dstmac: ""
    networkpolicy: ""
    ttl: 0
    translatedsrcip: ""
    translateddstip: ""
    tunneldstip: ""
```

build/yamls/antrea-eks.yml

@@ -261,6 +261,14 @@ rules:
   - supportbundles/download
   verbs:
   - get
+- apiGroups:
+  - ops.antrea.tanzu.vmware.com
+  resources:
+  - traceflows
+  verbs:
+  - get
+  - create
+  - delete
 - nonResourceURLs:
   - /agentinfo
   - /addressgroups
@@ -358,6 +366,8 @@ rules:
   - list
   - update
   - patch
+  - create
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -459,6 +469,8 @@ rules:
   - list
   - update
   - patch
+  - create
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -745,6 +757,21 @@ spec:
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
+metadata:
+  labels:
+    app: antrea
+  name: v1alpha1.ops.antrea.tanzu.vmware.com
+spec:
+  group: ops.antrea.tanzu.vmware.com
+  groupPriorityMinimum: 100
+  service:
+    name: antrea
+    namespace: kube-system
+  version: v1alpha1
+  versionPriority: 100
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
 metadata:
   labels:
     app: antrea

build/yamls/antrea-gke.yml

@@ -261,6 +261,14 @@ rules:
   - supportbundles/download
   verbs:
   - get
+- apiGroups:
+  - ops.antrea.tanzu.vmware.com
+  resources:
+  - traceflows
+  verbs:
+  - get
+  - create
+  - delete
 - nonResourceURLs:
   - /agentinfo
   - /addressgroups
@@ -358,6 +366,8 @@ rules:
   - list
   - update
   - patch
+  - create
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -459,6 +469,8 @@ rules:
   - list
   - update
   - patch
+  - create
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -745,6 +757,21 @@ spec:
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
+metadata:
+  labels:
+    app: antrea
+  name: v1alpha1.ops.antrea.tanzu.vmware.com
+spec:
+  group: ops.antrea.tanzu.vmware.com
+  groupPriorityMinimum: 100
+  service:
+    name: antrea
+    namespace: kube-system
+  version: v1alpha1
+  versionPriority: 100
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
 metadata:
   labels:
     app: antrea

build/yamls/antrea-ipsec.yml

@@ -261,6 +261,14 @@ rules:
   - supportbundles/download
   verbs:
   - get
+- apiGroups:
+  - ops.antrea.tanzu.vmware.com
+  resources:
+  - traceflows
+  verbs:
+  - get
+  - create
+  - delete
 - nonResourceURLs:
   - /agentinfo
   - /addressgroups
@@ -358,6 +366,8 @@ rules:
   - list
   - update
   - patch
+  - create
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -459,6 +469,8 @@ rules:
   - list
   - update
   - patch
+  - create
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -754,6 +766,21 @@ spec:
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
+metadata:
+  labels:
+    app: antrea
+  name: v1alpha1.ops.antrea.tanzu.vmware.com
+spec:
+  group: ops.antrea.tanzu.vmware.com
+  groupPriorityMinimum: 100
+  service:
+    name: antrea
+    namespace: kube-system
+  version: v1alpha1
+  versionPriority: 100
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
 metadata:
   labels:
     app: antrea

build/yamls/antrea.yml

@@ -261,6 +261,14 @@ rules:
   - supportbundles/download
   verbs:
   - get
+- apiGroups:
+  - ops.antrea.tanzu.vmware.com
+  resources:
+  - traceflows
+  verbs:
+  - get
+  - create
+  - delete
 - nonResourceURLs:
   - /agentinfo
   - /addressgroups
@@ -358,6 +366,8 @@ rules:
   - list
   - update
   - patch
+  - create
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -459,6 +469,8 @@ rules:
   - list
   - update
   - patch
+  - create
+  - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -745,6 +757,21 @@ spec:
 ---
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
+metadata:
+  labels:
+    app: antrea
+  name: v1alpha1.ops.antrea.tanzu.vmware.com
+spec:
+  group: ops.antrea.tanzu.vmware.com
+  groupPriorityMinimum: 100
+  service:
+    name: antrea
+    namespace: kube-system
+  version: v1alpha1
+  versionPriority: 100
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
 metadata:
   labels:
     app: antrea

build/yamls/base/agent-rbac.yml

@@ -95,6 +95,8 @@ rules:
       - list
       - update
       - patch
+      - create
+      - delete
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1

build/yamls/base/antctl.yml

@@ -39,6 +39,14 @@ rules:
       - supportbundles/download
     verbs:
       - get
+  - apiGroups:
+      - ops.antrea.tanzu.vmware.com
+    resources:
+      - traceflows
+    verbs:
+      - get
+      - create
+      - delete
   - nonResourceURLs:
       - /agentinfo
       - /addressgroups

build/yamls/base/controller-rbac.yml

@@ -109,6 +109,8 @@ rules:
       - list
       - update
       - patch
+      - create
+      - delete
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1

build/yamls/base/controller.yml

@@ -42,6 +42,21 @@ spec:
     name: antrea
     namespace: kube-system
 ---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  labels:
+    app: antrea
+  name: v1alpha1.ops.antrea.tanzu.vmware.com
+spec:
+  group: ops.antrea.tanzu.vmware.com
+  groupPriorityMinimum: 100
+  service:
+    name: antrea
+    namespace: kube-system
+  version: v1alpha1
+  versionPriority: 100
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -132,3 +147,4 @@ spec:
           hostPath:
             path: /var/log/antrea
             type: DirectoryOrCreate
+

build/yamls/overlays.vIHFNKJa/configMap/antrea-agent.conf

@@ -0,0 +1,60 @@
+# FeatureGates is a map of feature names to bools that enable or disable experimental features.
+featureGates:
+# Enable antrea proxy which provides ServiceLB for in-cluster services in antrea agent.
+# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
+# Service traffic.
+#  AntreaProxy: false
+# Enable traceflow which provides packet tracing feature to diagnose network issue.
+#  Traceflow: false
+
+# Name of the OpenVSwitch bridge antrea-agent will create and use.
+# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
+#ovsBridge: br-int
+
+# Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are:
+# - system
+# - netdev
+# 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run
+# OVS in userspace mode. Userspace mode requires the tun device driver to be available.
+#ovsDatapathType: system
+
+# Name of the interface antrea-agent will create and use for host <--> pod communication.
+# Make sure it doesn't conflict with your existing interfaces.
+#hostGateway: antrea-gw0
+
+# Encapsulation mode for communication between Pods across Nodes, supported values:
+# - geneve (default)
+# - vxlan
+# - gre
+# - stt
+#tunnelType: geneve
+
+# Default MTU to use for the host gateway interface and the network interface of each Pod. If
+# omitted, antrea-agent will default this value to 1450 to accommodate for tunnel encapsulate
+# overhead.
+#defaultMTU: 1450
+
+# Whether or not to enable IPsec encryption of tunnel traffic. IPsec encryption is only supported
+# for the GRE tunnel type.
+#enableIPSecTunnel: false
+
+# CIDR Range for services in cluster. It's required to support egress network policy, should
+# be set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver.
+#serviceCIDR: 10.96.0.0/12
+
+# Determines how traffic is encapsulated. It has the following options
+# encap(default): Inter-node Pod traffic is always encapsulated and Pod to outbound traffic is masqueraded.
+# noEncap: Inter-node Pod traffic is not encapsulated, but Pod to outbound traffic is masqueraded.
+#          Underlying network must be capable of supporting Pod traffic across IP subnet.
+# hybrid: noEncap if worker Nodes on same subnet, otherwise encap.
+# networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod IPAM and connectivity to primary CNI.
+#
+#trafficEncapMode: encap
+
+# The port for the antrea-agent APIServer to serve on.
+# Note that if it's set to another value, the `containerPort` of the `api` port of the
+# `antrea-agent` container must be set to the same value.
+#apiPort: 10350
+
+# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
+#enablePrometheusMetrics: false

build/yamls/overlays.vIHFNKJa/configMap/antrea-controller.conf

@@ -0,0 +1,25 @@
+# FeatureGates is a map of feature names to bools that enable or disable experimental features.
+featureGates:
+# Enable traceflow which provides packet tracing feature to diagnose network issue.
+#  Traceflow: false
+
+# Enable ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
+# to define security policies which apply to the entire cluster.
+# ClusterNetworkPolicy: false
+
+# The port for the antrea-controller APIServer to serve on.
+# Note that if it's set to another value, the `containerPort` of the `api` port of the
+# `antrea-controller` container must be set to the same value.
+#apiPort: 10349
+
+# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
+#enablePrometheusMetrics: false
+
+# Indicates whether to use auto-generated self-signed TLS certificate.
+# If false, A Secret named "antrea-controller-tls" must be provided with the following keys:
+#   ca.crt: <CA certificate>
+#   tls.crt: <TLS certificate>
+#   tls.key: <TLS private key>
+# And the Secret must be mounted to directory "/var/run/antrea/antrea-controller-tls" of the
+# antrea-controller container.
+#selfSignedCert: true

build/yamls/overlays.vIHFNKJa/configMap/kustomization.yml

@@ -0,0 +1,10 @@
+configMapGenerator:
+- behavior: merge
+  files:
+  - antrea-agent.conf
+  - antrea-controller.conf
+  name: antrea-config
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base

build/yamls/overlays.vIHFNKJa/dev/agentImagePullPolicy.yml

@@ -0,0 +1,15 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: antrea-agent
+spec:
+  template:
+    spec:
+      containers:
+        - name: antrea-agent
+          imagePullPolicy: IfNotPresent
+        - name: antrea-ovs
+          imagePullPolicy: IfNotPresent
+      initContainers:
+        - name: install-cni
+          imagePullPolicy: IfNotPresent