Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh/workflows: Use cilium-config action in ci-ipsec-upgrade #27359

Merged
merged 4 commits into from
Sep 1, 2023
Merged

gh/workflows: Use cilium-config action in ci-ipsec-upgrade #27359

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
df1b87e
gh/worklows: Delete noop in ci-ipsec-upgrade
brb Aug 8, 2023
47cef04
gh/workflows: Use cilium-config action in ci-ipsec-upgrade
brb Aug 8, 2023
a8adfae
gh/workflows: Create K8s before waiting for img in ci-ipsec-upgrade
brb Aug 8, 2023
7f8a939
ci-ipsec-upgrade: Disable some settings
brb Aug 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
170 changes: 49 additions & 121 deletions .github/workflows/tests-ipsec-upgrade.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,6 @@ jobs:
kpr: 'disabled'
tunnel: 'disabled'
encryption: 'ipsec'
encryption-node: 'false'
debug: 'true'
test-flow-interrupts: 'true'
ipv6: 'false' # until https://github.com/cilium/cilium/issues/26944 resolved

- name: '2'
Expand All @@ -96,9 +93,7 @@ jobs:
kpr: 'disabled'
tunnel: 'disabled'
encryption: 'ipsec'
encryption-node: 'false'
endpoint-routes: 'true'
test-flow-interrupts: 'true'
ipv6: 'false' # until https://github.com/cilium/cilium/issues/26944 resolved

- name: '3'
Expand All @@ -108,9 +103,7 @@ jobs:
kpr: 'disabled'
tunnel: 'vxlan'
encryption: 'ipsec'
encryption-node: 'false'
endpoint-routes: 'true'
test-flow-interrupts: 'true'
ipv6: 'false' # until https://github.com/cilium/cilium/issues/26944 resolved

timeout-minutes: 60
Expand All @@ -132,108 +125,46 @@ jobs:
else
SHA="${{ github.sha }}"
fi

# TODO(brb) move the settings derivation into a reusable GH workflow
CILIUM_STABLE_IMAGE_SETTINGS="--chart-directory=./cilium-${{ env.cilium_stable_version }}/install/kubernetes/cilium/ \
--helm-set=image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \
--helm-set=image.useDigest=false \
--helm-set=image.tag=v${{ env.cilium_stable_version }} \
--helm-set=operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \
--helm-set=operator.image.suffix=-ci \
--helm-set=operator.image.tag=v${{ env.cilium_stable_version }} \
--helm-set=operator.image.useDigest=false \
--helm-set=hubble.relay.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \
--helm-set=hubble.relay.image.tag=v${{ env.cilium_stable_version }}"
echo "cilium_stable_image_settings=${CILIUM_STABLE_IMAGE_SETTINGS}" >> $GITHUB_OUTPUT

CILIUM_MAIN_IMAGE_SETTINGS="--chart-directory=./install/kubernetes/cilium \
--helm-set=image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \
--helm-set=image.useDigest=false \
--helm-set=image.tag=${SHA} \
--helm-set=operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \
--helm-set=operator.image.suffix=-ci \
--helm-set=operator.image.tag=${SHA} \
--helm-set=operator.image.useDigest=false \
--helm-set=hubble.relay.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \
--helm-set=hubble.relay.image.tag=${SHA}"
echo "cilium_main_image_settings=${CILIUM_MAIN_IMAGE_SETTINGS}" >> $GITHUB_OUTPUT

CILIUM_INSTALL_DEFAULTS="--wait \
--helm-set=debug.enabled=true \
--helm-set=cni.uninstall=false \
--helm-set=cluster.name=default \
--helm-set=hubble.eventBufferCapacity=65535 \
--helm-set=bpf.monitorAggregation=none \
--nodes-without-cilium=kind-worker3 \
--helm-set=bpfClockProbe=false \
--helm-set-string=kubeProxyReplacement=${{ matrix.kpr }}"

TUNNEL="--helm-set-string=tunnelProtocol=${{ matrix.tunnel }}"
if [ "${{ matrix.tunnel }}" == "disabled" ]; then
TUNNEL="--helm-set-string=routingMode=native --helm-set-string=autoDirectNodeRoutes=true --helm-set-string=ipv4NativeRoutingCIDR=10.244.0.0/16 --helm-set-string=tunnel=disabled"
TUNNEL="${TUNNEL} --helm-set-string=ipv6NativeRoutingCIDR=fd00:10:244::/56"
fi
LB_MODE=""
if [ "${{ matrix.lb-mode }}" != "" ]; then
LB_MODE="--helm-set-string=loadBalancer.mode=${{ matrix.lb-mode }}"
fi
ENDPOINT_ROUTES=""
if [ "${{ matrix.endpoint-routes }}" == "true" ]; then
ENDPOINT_ROUTES="--helm-set-string=endpointRoutes.enabled=true"
fi
IPV6=""
if [ "${{ matrix.ipv6 }}" != "false" ]; then
IPV6="--helm-set=ipv6.enabled=true"
fi
MASQ=""
if [ "${{ matrix.kpr }}" == "true" ] || [ "${{ matrix.kpr }}" == "strict" ]; then
# BPF-masq requires KPR=true.
MASQ="--helm-set=bpf.masquerade=true"
if [ "${{ matrix.host-fw }}" == "true" ]; then
# BPF IPv6 masquerade not currently supported with host firewall - GH-26074
MASQ="${MASQ} --helm-set=enableIPv6Masquerade=false"
fi
fi
EGRESS_GATEWAY=""
if [ "${{ matrix.egress-gateway }}" == "true" ]; then
EGRESS_GATEWAY="--helm-set=egressGateway.enabled=true"
fi
LB_ACCELERATION=""
if [ "${{ matrix.lb-acceleration }}" != "" ]; then
LB_ACCELERATION="--helm-set=loadBalancer.acceleration=${{ matrix.lb-acceleration }}"
fi

ENCRYPT=""
if [ "${{ matrix.encryption }}" != "" ]; then
ENCRYPT="--helm-set=encryption.enabled=true --helm-set=encryption.type=${{ matrix.encryption }}"
if [ "${{ matrix.encryption-node }}" != "" ]; then
ENCRYPT+=" --helm-set=encryption.nodeEncryption=${{ matrix.encryption-node }}"
fi
fi

HOST_FW=""
if [ "${{ matrix.host-fw }}" == "true" ]; then
HOST_FW="--helm-set=hostFirewall.enabled=true"
fi

CONFIG="${CILIUM_INSTALL_DEFAULTS} ${TUNNEL} ${LB_MODE} ${ENDPOINT_ROUTES} ${IPV6} ${MASQ} ${EGRESS_GATEWAY} ${ENCRYPT} ${HOST_FW} ${LB_ACCELERATION}"
echo "cilium_install_defaults=${CONFIG}" >> $GITHUB_OUTPUT

JUNIT=""
for NAME in ${{ matrix.kube-proxy }} ${{ matrix.tunnel }} ${{ matrix.lb-mode }} ${{ matrix.encryption }} ${{ matrix.endpoint-routes }}; do
if [[ "${NAME}" != "" ]] && [[ "${NAME}" != "disabled" ]] && [[ "${NAME}" != "none" ]]; then
if [[ "${JUNIT}" != "" ]]; then
JUNIT+="-"
fi
if [[ "${NAME}" == "true" ]];then
NAME="endpoint-routes"
fi
JUNIT+="${NAME}"
fi
done
echo junit_type="${JUNIT}" >> $GITHUB_OUTPUT
echo sha=${SHA} >> $GITHUB_OUTPUT

- name: Derive stable Cilium installation config
id: cilium-stable-config
uses: ./.github/actions/cilium-config
with:
image-tag: v${{ env.cilium_stable_version }}
chart-dir: './cilium-${{ env.cilium_stable_version }}/install/kubernetes/cilium/'
tunnel: ${{ matrix.tunnel }}
endpoint-routes: ${{ matrix.endpoint-routes }}
ipv6: ${{ matrix.ipv6 }}
kpr: ${{ matrix.kpr }}
lb-mode: ${{ matrix.lb-mode }}
lb-acceleration: ${{ matrix.lb-acceleration }}
encryption: ${{ matrix.encryption }}
encryption-node: ${{ matrix.encryption-node }}
egress-gateway: ${{ matrix.egress-gateway }}
host-fw: ${{ matrix.host-fw }}
mutual-auth: false
misc: 'bpfClockProbe=false,cni.uninstall=false'

- name: Derive newest Cilium installation config
id: cilium-newest-config
uses: ./.github/actions/cilium-config
with:
image-tag: ${{ steps.vars.outputs.sha }}
chart-dir: './install/kubernetes/cilium'
tunnel: ${{ matrix.tunnel }}
endpoint-routes: ${{ matrix.endpoint-routes }}
ipv6: ${{ matrix.ipv6 }}
kpr: ${{ matrix.kpr }}
lb-mode: ${{ matrix.lb-mode }}
lb-acceleration: ${{ matrix.lb-acceleration }}
encryption: ${{ matrix.encryption }}
encryption-node: ${{ matrix.encryption-node }}
egress-gateway: ${{ matrix.egress-gateway }}
host-fw: ${{ matrix.host-fw }}
mutual-auth: false
misc: 'bpfClockProbe=false,cni.uninstall=false'

# Warning: since this is a privileged workflow, subsequent workflow job
# steps must take care not to execute untrusted code.
- name: Checkout pull request branch (NOT TRUSTED)
Expand Down Expand Up @@ -269,14 +200,6 @@ jobs:
cmd: |
git config --global --add safe.directory /host

- name: Wait for images to be available
timeout-minutes: 10
shell: bash
run: |
for image in cilium-ci operator-generic-ci hubble-relay-ci ; do
until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
done

- name: Setup K8s cluster (${{ matrix.name }})
uses: cilium/little-vm-helper@908ab1ff8a596a03cd5221a1f8602dc44c3f906d # v0.0.12
with:
Expand All @@ -296,6 +219,14 @@ jobs:

mkdir -p cilium-junits

- name: Wait for images to be available
timeout-minutes: 10
shell: bash
run: |
for image in cilium-ci operator-generic-ci hubble-relay-ci ; do
until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
done

- name: Install Cilium ${{ env.cilium_stable_version }} (${{ matrix.name }})
uses: cilium/little-vm-helper@908ab1ff8a596a03cd5221a1f8602dc44c3f906d # v0.0.12
with:
Expand All @@ -304,8 +235,7 @@ jobs:
cd /host/

CILIUM_CLI_MODE=helm ./cilium-cli install \
${{ steps.vars.outputs.cilium_stable_image_settings }} \
${{ steps.vars.outputs.cilium_install_defaults }}
${{ steps.cilium-stable-config.outputs.config }}

./cilium-cli status --wait
kubectl get pods --all-namespaces -o wide
Expand Down Expand Up @@ -341,8 +271,7 @@ jobs:
cd /host/

CILIUM_CLI_MODE=helm ./cilium-cli upgrade \
${{ steps.vars.outputs.cilium_main_image_settings }} \
${{ steps.vars.outputs.cilium_install_defaults }}
${{ steps.cilium-newest-config.outputs.config }}

./cilium-cli status --wait
kubectl get pods --all-namespaces -o wide
Expand All @@ -359,8 +288,7 @@ jobs:
cd /host/

CILIUM_CLI_MODE=helm ./cilium-cli upgrade \
${{ steps.vars.outputs.cilium_stable_image_settings }} \
${{ steps.vars.outputs.cilium_install_defaults }}
${{ steps.cilium-stable-config.outputs.config }}

./cilium-cli status --wait
kubectl get pods --all-namespaces -o wide
Expand Down