Add workflow to build windows kube-proxy images locally

.github/workflows/build-kube-proxy-windows.yml

@@ -0,0 +1,36 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: Build Kube-Proxy images
+
+on:
+  workflow_dispatch:
+    inputs:
+      proxy_version:
+        description: 'Version of kube-proxy to build (ex: v1.27.1)'
+        required: true
+      repository:
+        description: 'Repository to push the image to (ex: quay.io/k0sproject)'
+        required: false
+        default: 'quay.io/k0sproject'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          show-progress: false
+
+      - name: Login to Quay
+        if: startsWith(github.event.inputs.proxy_version, 'quay.io/')
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.QUAY_USER }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+          registry: quay.io
+
+      - name: Build and push images
+        run: |
+          pushd ./windows/calico-kube-proxy
+          ./build.sh -p ${{ github.event.inputs.proxy_version }} -r ${{ github.event.inputs.repository }}

windows/calico-kube-proxy/build.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -euo pipefail
+set -x
+
+# https://devhints.io/bash
+while [[ $# -gt 0 && "$1" =~ ^- && ! "$1" == "--" ]]; do case "$1" in
+  -p | --proxyVersion )
+    shift; proxyVersion="$1"
+    ;;
+  -r | --repository )
+    shift; repository="$1"
+    ;;
+  -a | --all )
+    all="1"
+    ;;
+esac; shift; done
+
+repository=${repository:-"sigwindowstools"}
+
+docker buildx create --name img-builder --use --platform windows/amd64
+trap 'docker buildx rm img-builder' EXIT
+
+if [[ -n "$proxyVersion" || "$all" == "1" ]] ; then
+    proxyVersion=${proxyVersion:-"v1.32.3"}
+    pushd kube-proxy
+    docker buildx build --provenance=false --sbom=false --platform windows/amd64 --output=type=registry --pull --build-arg=k8sVersion=$proxyVersion -f Dockerfile -t $repository/kube-proxy:$proxyVersion-calico-hostprocess .
+    popd
+fi

windows/calico-kube-proxy/kube-proxy/Dockerfile

@@ -0,0 +1,21 @@
+ARG BASE="mcr.microsoft.com/oss/kubernetes/windows-host-process-containers-base-image:v1.0.0"
+
+FROM --platform=linux/amd64 curlimages/curl as bins
+ARG k8sVersion="v1.22.4"
+
+WORKDIR /kube-proxy
+RUN curl -fLO https://dl.k8s.io/$k8sVersion/bin/windows/amd64/kube-proxy.exe \
+  && curl -fLO https://dl.k8s.io/$k8sVersion/bin/windows/amd64/kube-proxy.exe.sha256 \
+  && echo "$(cat kube-proxy.exe.sha256)  kube-proxy.exe" | sha256sum -c -
+
+RUN curl -LO https://raw.githubusercontent.com/microsoft/SDN/master/Kubernetes/windows/hns.psm1
+
+FROM $BASE
+
+ENV PATH="C:\Windows\system32;C:\Windows;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;"
+
+ADD start.ps1 /kube-proxy/start.ps1
+COPY --from=bins /kube-proxy/kube-proxy.exe /kube-proxy/kube-proxy.exe
+COPY --from=bins /kube-proxy/hns.psm1 /kube-proxy/hns.psm1
+
+ENTRYPOINT ["PowerShell"]

windows/calico-kube-proxy/kube-proxy/kube-proxy.yml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    k8s-app: kube-proxy
+  name: kube-proxy-windows
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: kube-proxy-windows
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-proxy-windows
+    spec:
+      serviceAccountName: kube-proxy
+      securityContext:
+        windowsOptions:
+          hostProcess: true
+          runAsUserName: "NT AUTHORITY\\system"
+      hostNetwork: true
+      containers:
+      - image: sigwindowstools/kube-proxy:KUBE_PROXY_VERSION-calico-hostprocess
+        args: ["$env:CONTAINER_SANDBOX_MOUNT_POINT/kube-proxy/start.ps1"]
+        workingDir: "$env:CONTAINER_SANDBOX_MOUNT_POINT/kube-proxy/"
+        name: kube-proxy
+        imagePullPolicy: Always
+        env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        volumeMounts:
+        - mountPath: /var/lib/kube-proxy
+          name: kube-proxy
+      nodeSelector:
+        kubernetes.io/os: windows
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - operator: Exists
+      volumes:
+      - configMap:
+          name: kube-proxy
+        name: kube-proxy
+  updateStrategy:
+    type: RollingUpdate

windows/calico-kube-proxy/kube-proxy/start.ps1

@@ -0,0 +1,109 @@
+# Copyright (c) 2020 Tigera, Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Modified from https://github.com/projectcalico/node
+$NetworkName = "Calico"
+if (test-path env:KUBEPROXY_PATH){ 
+    # used for CI flows
+    $kproxy = $env:KUBEPROXY_PATH
+}else {
+    $kproxy = "$env:CONTAINER_SANDBOX_MOUNT_POINT/kube-proxy/kube-proxy.exe"
+}
+ipmo -Force .\hns.psm1
+
+Write-Host "Running kub-proxy service."
+
+# Now, wait for the Calico network to be created.
+Write-Host "Waiting for HNS network $NetworkName to be created..."
+while (-Not (Get-HnsNetwork | ? Name -EQ $NetworkName)) {
+    Write-Debug "Still waiting for HNS network..."
+    Start-Sleep 1
+}
+Write-Host "HNS network $NetworkName found."
+
+# Determine the kube-proxy version.
+$kubeProxyVer = $(Invoke-Expression "$kproxy --version")
+echo "kubeproxy version $kubeProxyVer"
+$kubeProxyGE114 = $false
+if ($kubeProxyVer -match "v([0-9])\.([0-9]+)") {
+    $major = $Matches.1 -as [int]
+    $minor = $Matches.2 -as [int]
+    $kubeProxyGE114 = ($major -GT 1 -OR $major -EQ 1 -AND $minor -GE 14)
+}
+
+# Determine the windows version and build number for DSR support.
+# requires 2019 with KB4580390 (Oct 2020)
+$PlatformSupportDSR = $true
+
+# This is a workaround since the go-client doesn't know about the path $env:CONTAINER_SANDBOX_MOUNT_POINT
+# go-client is going to be address in a future release:
+#   https://github.com/kubernetes/kubernetes/pull/104490
+# We could address this in kubeamd as well: 
+#   https://github.com/kubernetes/kubernetes/blob/9f0f14952c51e7a5622eac05c541ba20b5821627/cmd/kubeadm/app/phases/addons/proxy/manifests.go
+Write-Host "Write files so the kubeconfig points to correct locations"
+mkdir -force /var/lib/kube-proxy/
+((Get-Content -path $env:CONTAINER_SANDBOX_MOUNT_POINT/var/lib/kube-proxy/kubeconfig.conf -Raw) -replace '/var',"$($env:CONTAINER_SANDBOX_MOUNT_POINT)/var") | Set-Content -Path $env:CONTAINER_SANDBOX_MOUNT_POINT/var/lib/kube-proxy/kubeconfig-win.conf
+cp $env:CONTAINER_SANDBOX_MOUNT_POINT/var/lib/kube-proxy/kubeconfig-win.conf /var/lib/kube-proxy/kubeconfig.conf
+
+# Build up the arguments for starting kube-proxy.
+$argList = @(`
+    "--hostname-override=$env:NODENAME", `
+    "--v=4",`
+    "--proxy-mode=kernelspace",`
+    "--kubeconfig=$env:CONTAINER_SANDBOX_MOUNT_POINT/var/lib/kube-proxy/kubeconfig-win.conf"`
+)
+$extraFeatures = @()
+
+if ($kubeProxyGE114 -And $PlatformSupportDSR) {
+    Write-Host "Requires 2019 with KB4580390 (Oct 2020)"
+    $extraFeatures += "WinDSR=true"
+    $argList += "--enable-dsr=true"
+} else {
+    Write-Host "DSR feature is not supported."
+}
+
+$network = (Get-HnsNetwork | ? Name -EQ $NetworkName)
+if ($network.Type -EQ "Overlay") {
+    if (-NOT $kubeProxyGE114) {
+        throw "Overlay network requires kube-proxy >= v1.14.  Detected $kubeProxyVer."
+    }
+    # This is a VXLAN network, kube-proxy needs to know the source IP to use for SNAT operations.
+    Write-Host "Detected VXLAN network, waiting for Calico host endpoint to be created..."
+    while (-Not (Get-HnsEndpoint | ? Name -EQ "Calico_ep")) {
+        Start-Sleep 1
+    }
+    Write-Host "Host endpoint found."
+    $sourceVip = (Get-HnsEndpoint | ? Name -EQ "Calico_ep").IpAddress
+    $argList += "--source-vip=$sourceVip"
+    $extraFeatures += "WinOverlay=true"
+}
+
+if ($extraFeatures.Length -GT 0) {
+    $featuresStr = $extraFeatures -join ","
+    $argList += "--feature-gates=$featuresStr"
+    Write-Host "Enabling feature gates: $extraFeatures."
+}
+
+# kube-proxy doesn't handle resync if there are pre-exisitng policies, clean them
+# all out before (re)starting kube-proxy.
+$policyLists = Get-HnsPolicyList
+if ($policyLists) {
+    $policyLists | Remove-HnsPolicyList
+}
+
+Write-Host "Start to run $kproxy $argList"
+# We'll also pick up a network name env var from the Calico config file.  Override it
+# since the value in the config file may be a regex.
+$env:KUBE_NETWORK=$NetworkName
+Invoke-Expression "$kproxy $argList"

windows/calico-kube-proxy/readme.md

@@ -0,0 +1,5 @@
+# Calico kube-proxy
+
+This contains a HostProcess container for kube-proxy that works with Calico.  It uses the release files from Calico. The felix and node services scripts are modified slightly until we can get the support in upstream which has other dependencies.
+
+This is coming from [sig-windows-tools](https://github.com/kubernetes-sigs/sig-windows-tools/tree/5f77809/hostprocess/calico) for details on installing Calico