New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci/multicluster: Test WireGuard in clustermesh #17453
Conversation
25c6e9d
to
7a66346
Compare
11950c8
to
1fedf99
Compare
1fedf99
to
62c6023
Compare
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
62c6023
to
bba1a55
Compare
Successful test run of the |
bba1a55
to
f8db94f
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code changes LGTM. I have two remarks:
- The clustermesh workflow would now be the only one where we test WireGuard, as all others are testing IPsec. Is that an issue? Would there be value in testing both WireGuard and IPsec in all configurations?
- Reconfiguring the Cilium agents via
cilium config set
is a neat trick, I like it 👍 On other workflows though, what we did wasuninstall
followed with anotherinstall
. Is there a possibility theconfig
way would behave differently as the reinstall method? If yes, I would argue we keep to the reinstall method to imitate users installing new clusters as closely as possible.
Thanks for the reviews!
Generally speaking, yes. The main reason we have not done that yet is because I believe none of the managed K8s providers (GCP, EKS) have WireGuard kernel support enabled by default (AKS might be an exception, need to double check). Now that we have user-mode WireGuard, we could add it. My main concern however is that it will add ~5 minutes of additional run-time to each test. I'm not sure this is worth it.
The reason I chose |
Yes, this is why I find it so neat 😄 If we think there is no difference in behaviour with the reinstall method, I would actually happily take down the path of doing the same on all workflows! |
🚀 In terms of behavior, there might be some differences. For IPSec encryption, we will need to use Another (albeit small) difference that I can think of is that Hubble Relay will loose it's connection to the restarted Cilium-Agent instances with Edit: On the second thing, impact of this will be low though: Hubble not being reconnected yet will only impact flow connection in the sysdump for now, as flow-validation is currently disabled. |
I'm marking this ready-to-merge, as this is a CI improvement. The failures are unrelated as this PR does not change any code. Me running On the discussion if we want to enable WireGuard in other CI 3.0 workflows as well: Let's do that in a separate PR once we have more experience with how stable WireGuard is running in clustermesh (I don't expect any problems, but just to be on the safe side). |
This adds an additional WireGuard test to the Multicluster / Cluster mesh (ci-multicluster) CI 3.0 workflow.
The new test enables WireGuard after the regular clustermesh test suite, restarts the Cilium pods in both clusters and then runs the regular intra-cluster connectivity check (with any tests disabled that rely on the L7 proxy).
Now that we a regression test for WireGuard+clustermesh, the documentation is also updated to mention that WireGuard may be used together with clustermesh.