gha: Run kubernetes Conformance and SIG-network tests

[aojea]

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Thanks for contributing!

The kubernetes e2e sig-network tests are created to standardize the expected behaviors for the different implementations.

Running them ensure that all the ecosystem provide the same experience for users and contribute to reduce toil to implementations, knowing that the behavior is conformance with the defined by Kubernetes.

[aojea]

/assign @squeed @sayboras

[squeed]

one very minor change, then this looks good to me.

[squeed]

This should have the --wait flag (although I bet kubetest also waits for all the nodes to be Ready). Still good practice.

[aojea]

check line 148, it sets it to false, for some reasons?

[squeed]

--skip="Feature|Federation|PerformanceDNS|DualStack|Disruptive|Serial|KubeProxy|LoadBalancer|GCE|Netpol|NetworkPolicy|rejected|externalTrafficPolicy|HostPort|ExternalIP|kube-proxy"

This has a lot of skips. Should we be creating issues to un-Skip any of them?

It seems like, at least, NetworkPolicy should be enabled.

[aojea]

--skip="Feature|Federation|PerformanceDNS|DualStack|Disruptive|Serial|KubeProxy|LoadBalancer|GCE|Netpol|NetworkPolicy|rejected|externalTrafficPolicy|HostPort|ExternalIP|kube-proxy"

This has a lot of skips. Should we be creating issues to un-Skip any of them?

It seems like, at least, NetworkPolicy should be enabled.

remember how did we have it in ovn-kubernetes?

I wanted to do something similiar, to read them from a file adding the issues , so we can work towards remove the list of skips to zero ... can I add this file in the repo? where would be the best place?

[squeed]

I wanted to do something similiar, to read them from a file adding the issues , so we can work towards remove the list of skips to zero ... can I add this file in the repo? where would be the best place?

I think this is fine for now; as we knock the skips down, we can consider moving it. I suspect that the skips will vary with certain configurations (e.g. dualstack, kpr, aws-cni chaining, etc).

[aojea]

I think this is fine for now; as we knock the skips down, we can consider moving it. I suspect that the skips will vary with certain configurations (e.g. dualstack, kpr, aws-cni chaining, etc).

do you want to add a matrix ipv4, ipv6 and dual-stack?
that is very simple to add here

[sayboras]

Thanks and LGTM 💯 🎖️

[aojea]

Last push removes the external dependency on the kind config and add a matrix to test ipv4, ipv6 and dual-stack.

I have this action setup running for years in several projects with success, we can always remove permutation from the matrix slice if we don't want to proceed with all of them

[aojea]

/test

[sayboras]

/test

test command only works for cilium committer sadly, so if you want to run full CI tests, feel free to ping us in development channel. I don't think this PR requires full CI tests (Jenkins + GHA) though as the changes are only for GHA.

[squeed]

3 failures, I assume #24174 and #24202 will take care of this

 Summarizing 3 Failures:
  [FAIL] [sig-network] Services [It] should be able to update service type to NodePort listening on same port number but different protocols
  test/e2e/network/service.go:1421
  [FAIL] [sig-network] Services [It] should be able to connect to terminating and unready endpoints if PublishNotReadyAddresses is true
  test/e2e/network/util.go:177
  [FAIL] [sig-network] Services [It] should create endpoints for unready pods

[aditighag]

Looks like some of the tests overlap with the existing k8s conformance test suite in cilium? Probably good to bring this up in the community meeting. /cc @aanm

[joestringer]

Looks like some of the tests overlap with the existing k8s conformance test suite in cilium? Probably good to bring this up in the community meeting. /cc @aanm

that seems to use vagrant, kind is much better suited for running k8s e2e tests since is one of the kubernetes default tool for testing the project itself and is tuned for performance, see the results

I agree - the current mechanism was built some years ago based on the infra we used at the time. It currently requires a special trigger phrase and relies on some additional custom Jenkins configuration. I like the idea of moving this to GHA instead.

The only thing I would suggest is to check the end of that script for which tests are being skipped + comments and maybe copy any relevant explanations+links here.

At a glance it also looks like that job tests Cilium with kube-proxy, whereas this workflow tests without kube-proxy. cf. #24199

[joestringer]

Do we need to run sig-storage etc.? Some of the reason behind the limited set of tests in the current script is that there's a bunch of stuff that is unrelated to Cilium's functionality.

[aojea]

Do we need to run sig-storage etc.? Some of the reason behind the limited set of tests in the current script is that there's a bunch of stuff that is unrelated to Cilium's functionality.

this regex that I added is specific for networking plugins, is the same regex I have in kubernetes/kubernetes and added to other networking plugins that reached out to me for this kind of situation

[sayboras]

ipv6 fails to install cilium https://github.com/cilium/cilium/actions/runs/4353373283/jobs/7607811754

You can take a look at the existing ipv6 (e.g. test-smoke-ipv6) jobs and kind-config-ipv6.yaml for reference. The last time I worked on this, I need the bump CIDR range as the default values might be too small. IMO, we can add ipv6 test once in subsequent PR.

Relates:
https://github.com/cilium/cilium/blob/master/.github/workflows/tests-smoke-ipv6.yaml#L129-L133
0ac8c4c

[aojea]

Since my inmidiate priority is to have a Kubernetes job running I prefer to focus on having just ipv4 and monitor the job for some weeks so you can be confident is stable, I tested it locally right now and with my two PRs that got merged there are no failing tests

Ran 371 of 7084 Specs in 682.514 seconds
SUCCESS! -- 371 Passed | 0 Failed | 0 Pending | 6713 Skipped

[aojea]

and this is green now 👍

[sayboras]

One small comment, the rest looks good to me. Thanks.

[sayboras]

Full CI is not required as the changes in this PR are to add a new GHA, which is successfully run.

[christarazi]

Removing myself in favor of @nbusseneau

[aojea]

just for clarification, both the kubernetes and e2e tests are pinned to a specific version, there is no possibility a test that was passing start to fail if is not related to a change in the cilium code or an environment problem (but this runners seems very powerful )

[squeed]

@aditighag @brlbil @nbusseneau would you mind reviewing this PR?

[aditighag]

I think this is good to go, but let's wait for @nbusseneau's review.

[aditighag]

It's been a few days since the pending reviews were requested, so let's get the PR merged. @nbusseneau Please follow up with @aojea if you have any follow-ups in mind.

[nbusseneau]

Sorry, I missed the pings last week. Had a review and LGTM, great job, thanks!

[aojea]

Thanks, I'll be available for any issue related with this job