Add env 'ANTREA_NAMESPACE' support in antctl

[luolanzone]

After this #5135 change is introduced, when antctl is called in a Pod (e.g. named debug) to collect Antrea support bundle in a secure way, it will get the Namespace of the debug Pod instead of Antrea Pod's Namespace. If the debug Pod is not running in kube-system, it will fail to get Antrea CA config which is located at kube-system.
To avoid such Namespace mismatch issue, it would be better to add a new env like ANTREA_NAMESPACE in antctl to allow user to configure which Namespace the Antrea is deployed to.

[antoninbas]

I wonder why this is not caught by

antrea/test/e2e/antctl_test.go

Line 184 in df82b76

func testAntctlControllerRemoteAccess(t *testing.T, data *TestData, antctlServiceAccountName string, antctlImage string) {

The test Pod which runs antctl is created in the "test namespace", not in the kube-system namespace.

[roopeshsn]

I would like to work on this issue, Lan and Antonin!

[luolanzone]

Hi @roopeshsn I have assigned this issue to you, thanks for your interest to contribution.

[EraKin575]

Is this issue being solved? I would like to solve this issue

[antoninbas]

@EraKin575 you are welcome to submit a PR, given that we have not heard back from @roopeshsn
I will keep the issue unassigned for now. We will be happy to review any submitted PR which addresses this issue.

[roopeshsn]

Hi, @antoninbas! I am working on this issue. Apologies for not replying in a timely manner. I'll come up with progress in a week.

[roopeshsn]

After this #5135 change is introduced, when antctl is called in a Pod (e.g. named debug) to collect Antrea support bundle in a secure way, it will get the Namespace of the debug Pod instead of Antrea Pod's Namespace. If the debug Pod is not running in kube-system, it will fail to get Antrea CA config which is located at kube-system. To avoid such Namespace mismatch issue, it would be better to add a new env like ANTREA_NAMESPACE in antctl to allow user to configure which Namespace the Antrea is deployed to.

After looking at the code it seems, the GetControllerCACert function is getting the CA cert from the kube-system namespace.

antrea/pkg/antctl/raw/helper.go

Line 88 in 3ac87f6

func GetControllerCACert(ctx context.Context, client kubernetes.Interface, controllerInfo *v1beta1.AntreaControllerInfo) ([]byte, error) {

But I need more context on what should be done. I am still unclear about where the user configures the namespace that the Antrea should deployed to (In the CRD or ConfigMap or somewhere else). Your hints help @luolanzone

[roopeshsn]

Hi, @luolanzone @antoninbas! Your input will help me to move forward.

[luolanzone]

Hi @roopeshsn sorry for late response, there are a few ways to deploy Antrea. One way is through Helm chart, here is the guide. https://github.com/antrea-io/antrea/blob/main/docs/helm.md#installation. Users can change the Namespace in this command helm install antrea antrea/antrea --namespace kube-system. And another way is to deploy through Antrea manifests, here is the guide. In this case, users need to replace all kube-system in the manifests and apply it in the target cluster.

Usually it's kube-system by default in most cases. Let me know if you need more clarifications.

[luolanzone]

Hi @roopeshsn Thanks for your efforts to checking this issue, but I didn't see any response from your side for a long time, I will reassign this. @shikharish