forked from cilium/cilium
-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (120 loc) · 5.45 KB
/
conformance-k8s-network-policies.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Cyclonus network policy test
on:
schedule:
# run once a day at midnight
- cron: '0 0 * * *'
permissions: read-all
env:
KIND_VERSION: v0.11.1
KIND_CONFIG: .github/kind-config.yaml
CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check.yaml
TIMEOUT: 2m
LOG_TIME: 30m
jobs:
preflight-clusterrole:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
with:
persist-credentials: false
- name: Check pre-flight clusterrole
run: |
cd install/kubernetes/cilium/templates
echo "Checking for differences between preflight and agent clusterrole"
diff \
-I '^[ ]\{2\}name: cilium.*' \
-I '^Keep file in sync with.*' \
-I '{{- if.*' \
cilium-agent/clusterrole.yaml \
cilium-preflight/clusterrole.yaml
cyclonus-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
with:
persist-credentials: false
- name: Precheck generated connectivity manifest files
run: |
make -C examples/kubernetes/connectivity-check fmt
make -C examples/kubernetes/connectivity-check all
test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1)
- name: Set image tag
id: vars
run: |
if [ ${{ github.event.pull_request.head.sha }} != "" ]; then
echo ::set-output name=tag::${{ github.event.pull_request.head.sha }}
else
echo ::set-output name=tag::${{ github.sha }}
fi
- name: Wait for images to be available
timeout-minutes: 10
shell: bash
run: |
until docker manifest inspect quay.io/${{ github.repository_owner }}/cilium-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done
until docker manifest inspect quay.io/${{ github.repository_owner }}/operator-generic-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done
- name: Create kind cluster
uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
with:
version: ${{ env.KIND_VERSION }}
config: ${{ env.KIND_CONFIG }}
- name: Install cilium chart
run: |
helm install cilium ./install/kubernetes/cilium \
--wait \
--namespace kube-system \
--set nodeinit.enabled=true \
--set kubeProxyReplacement=partial \
--set hostServices.enabled=false \
--set externalIPs.enabled=true \
--set nodePort.enabled=true \
--set hostPort.enabled=true \
--set bpf.masquerade=false \
--set ipam.mode=kubernetes \
--set image.repository=quay.io/${{ github.repository_owner }}/cilium-ci \
--set image.tag=${{ steps.vars.outputs.tag }} \
--set image.pullPolicy=IfNotPresent \
--set image.useDigest=false \
--set operator.image.repository=quay.io/${{ github.repository_owner }}/operator \
--set operator.image.suffix=-ci \
--set operator.image.tag=${{ steps.vars.outputs.tag }} \
--set operator.image.pullPolicy=IfNotPresent \
--set operator.image.useDigest=false \
--set prometheus.enabled=true \
--set operator.prometheus.enabled=true \
--set hubble.enabled=true \
--set hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}"
kubectl wait -n kube-system --for=condition=Ready --all pod --timeout=5m
# To make sure that cilium CRD is available (default timeout is 5m)
# https://github.com/cilium/cilium/blob/master/operator/crd.go#L34
kubectl wait --for condition=Established crd/ciliumnetworkpolicies.cilium.io --timeout=5m
- name: Run cyclonus network policy test
working-directory: test/k8s/manifests/netpol-cyclonus
run: ./test-cyclonus.sh
- name: Capture cilium-sysdump
if: ${{ failure() }}
run: |
echo "=== Install latest stable CLI ==="
curl -sSL --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
cilium version
echo "=== Retrieve cluster state ==="
kubectl get pods --all-namespaces -o wide
cilium status
cilium sysdump --output-filename cilium-sysdump-out
- name: Upload cilium-sysdump
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
if: ${{ failure() }}
with:
name: cilium-sysdump-out.zip
path: cilium-sysdump-out.zip
- name: Send slack notification
if: ${{ !success() && (github.event_name == 'schedule' || github.event_name == 'push') }}
uses: 8398a7/action-slack@a74b761b4089b5d730d813fbedcd2ec5d394f3af
with:
status: ${{ job.status }}
fields: repo,message,commit,author,action,eventName,ref,workflow,job,took # selectable (default: repo,message)
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}