v1.14 Backports 2024-03-15 #10105

Workflow file for this run

.github/workflows/conformance-multi-pool.yaml at 4271f94

	name: Conformance Multi Pool IPAM

	# Any change in triggers needs to be reflected in the concurrency group.
	on:
	pull_request:
	paths-ignore:
	- 'Documentation/**'
	- 'test/**'
	push:
	branches:
	- v1.14
	- ft/v1.14/**
	paths-ignore:
	- 'Documentation/**'
	- 'test/**'

	permissions: read-all

	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.event.after }}
	cancel-in-progress: true

	env:
	cilium_cli_ci_version:
	kind_config: .github/kind-config.yaml
	timeout: 5m

	jobs:
	multi-pool-ipam-conformance-test:
	name: Install and Connectivity Test
	runs-on: ubuntu-latest
	timeout-minutes: 120
	steps:
	- name: Checkout main branch to access local actions
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ github.event.repository.default_branch }}
	persist-credentials: false
	- name: Set Environment Variables
	uses: ./.github/actions/set-env-variables

	- name: Install Cilium CLI
	uses: cilium/cilium-cli@ca0d5a23b842d78ce3b5c79a80d546867493daf7 # v0.16.0
	with:
	release-version: ${{ env.CILIUM_CLI_VERSION }}
	ci-version: ${{ env.cilium_cli_ci_version }}

	- name: Set image tag
	id: vars
	run: \|
	if [ ${{ github.event.pull_request }} ]; then
	SHA=${{ github.event.pull_request.head.sha }}
	else
	SHA=${{ github.sha }}
	fi
	echo sha=${SHA} >> $GITHUB_OUTPUT

	# Notes:
	# - Multi-pool IPAM only supports direct routing, thus we disable
	# tunnel mode and enable auto-direct-routes.
	# - Multi-pool IPAM only supports endpoint routes, thus we disable
	# the local-node-route.
	# - helm/kind-action does not support BPF host routing, so we fall
	# back on legacy host routing (#23283)
	# - iptables-based masquerading does not support multiple non-masquerade
	# CIDRs. Thus, we enable BPF masquerading where we can add multiple
	# non-masquerade CIDRs.
	CILIUM_INSTALL_DEFAULTS="--chart-directory=./untrusted/install/kubernetes/cilium \
	--helm-set=debug.enabled=true \
	--helm-set=image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \
	--helm-set=image.useDigest=false \
	--helm-set=image.tag=${SHA} \
	--helm-set=operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \
	--helm-set=operator.image.suffix=-ci \
	--helm-set=operator.image.tag=${SHA} \
	--helm-set=operator.image.useDigest=false \
	--helm-set=hubble.relay.enabled=true \
	--helm-set=hubble.relay.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \
	--helm-set=hubble.relay.image.tag=${SHA} \
	--helm-set=hubble.relay.image.useDigest=false \
	--helm-set=tunnel=disabled \
	--helm-set=autoDirectNodeRoutes=true \
	--helm-set=routingMode=native \
	--helm-set=endpointRoutes.enabled=true \
	--helm-set-string=extraConfig.enable-local-node-route=false \
	--helm-set=kubeProxyReplacement=strict \
	--helm-set=bpf.masquerade=true \
	--helm-set=bpf.hostLegacyRouting=true\
	--helm-set=ipv4NativeRoutingCIDR=10.0.0.0/8 \
	--helm-set=ipMasqAgent.enabled=true \
	--helm-set=ipMasqAgent.config.nonMasqueradeCIDRs='{192.168.0.0/16}' \
	--helm-set=ipam.mode=multi-pool \
	--helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.cidrs='{10.10.0.0/16}' \
	--helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.maskSize=24 \
	--helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.cidrs='{10.20.0.0/16}' \
	--helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.maskSize=24 \
	--helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.cidrs='{192.168.0.0/20}' \
	--helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.maskSize=27 \
	--helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.cidrs='{192.168.16.0/20}' \
	--helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.maskSize=27"

	CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \
	--external-target bing.com --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8 \
	--namespace-annotations='{\"ipam.cilium.io/ip-pool\":\"cilium-test-pool\"}' \
	--deployment-pod-annotations='{ \
	\"client\":{\"ipam.cilium.io/ip-pool\":\"client-pool\"}, \
	\"echo-other-node\":{\"ipam.cilium.io/ip-pool\":\"echo-other-node-pool\"} \
	}'"

	echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT
	echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT

	- name: Checkout
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	ref: ${{ steps.vars.outputs.sha }}
	persist-credentials: false
	path: untrusted
	sparse-checkout: \|
	install/kubernetes/cilium

	- name: Create kind cluster
	uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
	with:
	version: ${{ env.KIND_VERSION }}
	node_image: ${{ env.KIND_K8S_IMAGE }}
	kubectl_version: ${{ env.KIND_K8S_VERSION }}
	config: ${{ env.kind_config }}
	wait: 0 # The control-plane never becomes ready, since no CNI is present

	- name: Wait for images to be available
	timeout-minutes: 30
	shell: bash
	run: \|
	for image in cilium-ci operator-generic-ci hubble-relay-ci; do
	until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
	done

	- name: Install Cilium
	run: \|
	CILIUM_CLI_MODE=helm cilium install ${{ steps.vars.outputs.cilium_install_defaults }}

	- name: Wait for Cilium status to be ready
	run: \|
	cilium status --wait
	kubectl -n kube-system get pods

	- name: Port forward Relay
	run: \|
	cilium hubble port-forward&
	sleep 10s
	[[ $(pgrep -f "cilium.hubble.port-forward\|kubectl.port-forward.hubble-relay" \| wc -l) == 2 ]]

	- name: Make JUnit report directory
	run: \|
	mkdir -p cilium-junits

	- name: Run connectivity test
	run: \|
	cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \
	--junit-file "cilium-junits/${{ env.job_name }} - 1.xml" --junit-property github_job_step="Run connectivity test"

	- name: Collect Pod and Pool IPs
	id: ips
	run: \|
	for pod in client client2 echo-same-node echo-other-node; do
	kubectl get pod -n cilium-test -l "name=${pod}" -o jsonpath="${pod}={.items[*].status.podIP}{'\n'}" >> "$GITHUB_OUTPUT"
	done

	for pool in cilium-test-pool client-pool echo-other-node-pool; do
	kubectl get ciliumpodippool "${pool}" -o "jsonpath=${pool}={.spec.ipv4.cidrs[0]}{'\n'}" >> "$GITHUB_OUTPUT"
	done

	- name: Validate Pod IPs
	shell: python
	run: \|
	from ipaddress import ip_address, ip_network

	assert ip_address("${{ steps.ips.outputs.client }}") in ip_network("${{ steps.ips.outputs.client-pool }}"), "client pool mismatch"
	assert ip_address("${{ steps.ips.outputs.client2 }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "client2 pool mismatch"
	assert ip_address("${{ steps.ips.outputs.echo-same-node }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "echo-same-node pool mismatch"
	assert ip_address("${{ steps.ips.outputs.echo-other-node }}") in ip_network("${{ steps.ips.outputs.echo-other-node-pool }}"), "echo-other-node pool mismatch"

	- name: Post-test information gathering
	if: ${{ !success() }}
	run: \|
	kubectl get pods --all-namespaces -o wide
	cilium status
	cilium sysdump --output-filename cilium-sysdump-out
	shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently

	- name: Upload artifacts
	if: ${{ !success() }}
	uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
	with:
	name: cilium-sysdump-out.zip
	path: cilium-sysdump-*.zip
	retention-days: 5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v1.14 Backports 2024-03-15 #10105

Workflow file

v1.14 Backports 2024-03-15 #10105

Jobs

Run details

Workflow file for this run