workflows: Cover IPsec+VXLAN+endpoint routes in datapath tests

Commit 92a3e31 ("bpf: Remove link scope of cilium_host's IPv4 address") fixed connectivity via a NodePort service with tunneling and endpoint routes. Commit d39ca10 ("ipsec: Don't match on packet mark for FWD XFRM policy") then fixed cross-node pod connectivity with tunneling, endpoint routes, and IPsec. We can therefore start test this specific setup in the datapath tests. bpf-next is picked as the kernel to have some coverage of IPsec on the latest kernel. We currently rely on some assumption on kernel internals [1]. 1 - https://github.com/cilium/cilium/blob/v1.13.0-rc5/bpf/lib/encap.h#L24-L25 Signed-off-by: Paul Chaignon <paul@cilium.io>
cilium · Jan 26, 2023 · 68fc45c · 68fc45c
1 parent 3ed62d5
commit 68fc45c
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/.github/workflows/conformance-datapath.yaml b/.github/workflows/conformance-datapath.yaml
@@ -184,6 +184,15 @@ jobs:
             encryption-node: 'true'
             lb-mode: 'snat'
 
+          - name: '8'
+            kernel: 'bpf-next-main'
+            kube-proxy: 'iptables'
+            kpr: 'disabled'
+            tunnel: 'vxlan'
+            encryption: 'ipsec'
+            encryption-node: 'false'
+            endpoint-routes: 'true'
+
     timeout-minutes: 60
     steps:
       - name: Set up job variables