v1.14 Backports 2023-09-04

.github/actions/cilium-config/action.yml

@@ -37,6 +37,15 @@ inputs:
   host-fw:
     description: 'Enable host firewall'
     default: false
+  mutual-auth:
+    description: 'Enable mTLS-based Mutual Authentication'
+    default: true
+  devices:
+    description: 'List of native devices to attach datapath programs'
+    default: ''
+  misc:
+    description: 'Misc helm rarely set by a user coma separated values'
+    default: ''
 outputs:
   config:
     description: 'Cilium installation config'
@@ -63,16 +72,23 @@ runs:
             --helm-set=hubble.relay.image.useDigest=false \
             --helm-set=hubble.eventBufferCapacity=65535 \
             --helm-set=bpf.monitorAggregation=none \
-            --helm-set=authentication.mutual.spire.enabled=true \
+            --helm-set=cluster.name=default \
+            --helm-set=authentication.mutual.spire.enabled=${{ inputs.mutual-auth }} \
             --nodes-without-cilium=kind-worker3 \
-            --helm-set-string=kubeProxyReplacement=${{ inputs.kpr }}"
+            --helm-set-string=kubeProxyReplacement=${{ inputs.kpr }} \
+            --set='${{ inputs.misc }}'"
 
           TUNNEL="--helm-set-string=tunnelProtocol=${{ inputs.tunnel }}"
           if [ "${{ inputs.tunnel }}" == "disabled" ]; then
             TUNNEL="--helm-set-string=routingMode=native --helm-set-string=autoDirectNodeRoutes=true --helm-set-string=ipv4NativeRoutingCIDR=10.244.0.0/16 --helm-set-string=tunnel=disabled"
             TUNNEL="${TUNNEL} --helm-set-string=ipv6NativeRoutingCIDR=fd00:10:244::/56"
           fi
 
+          DEVICES=""
+          if [ "${{ inputs.devices }}" != "" ]; then
+            DEVICES="--helm-set=devices='${{ inputs.devices }}'"
+          fi
+
           LB_MODE=""
           if [ "${{ inputs.lb-mode }}" != "" ]; then
             LB_MODE="--helm-set-string=loadBalancer.mode=${{ inputs.lb-mode }}"
@@ -121,5 +137,5 @@ runs:
             HOST_FW="--helm-set=hostFirewall.enabled=true"
           fi
 
-          CONFIG="${DEFAULTS} ${TUNNEL} ${LB_MODE} ${ENDPOINT_ROUTES} ${IPV6} ${MASQ} ${EGRESS_GATEWAY} ${ENCRYPT} ${HOST_FW} ${LB_ACCELERATION}"
+          CONFIG="${DEFAULTS} ${TUNNEL} ${DEVICES} ${LB_MODE} ${ENDPOINT_ROUTES} ${IPV6} ${MASQ} ${EGRESS_GATEWAY} ${ENCRYPT} ${HOST_FW} ${LB_ACCELERATION}"
           echo "config=${CONFIG}" >> $GITHUB_OUTPUT

.github/actions/ginkgo/main-focus.yaml

@@ -149,9 +149,8 @@ include:
   # K8sDatapathServicesTest Checks N/S loadbalancing Tests NodePort with sessionAffinity from outside
   # K8sDatapathServicesTest Checks N/S loadbalancing Tests security id propagation in N/S LB requests fwd-ed over tunnel
   # K8sDatapathServicesTest Checks N/S loadbalancing Tests with direct routing and DSR
-  # K8sDatapathServicesTest Checks N/S loadbalancing Tests with secondary NodePort device
   - focus: "f12-datapath-service-ns-misc"
-    cliFocus: "K8sDatapathServicesTest Checks N/S loadbalancing Tests externalIPs|K8sDatapathServicesTest Checks N/S loadbalancing Tests GH|K8sDatapathServicesTest Checks N/S loadbalancing Tests NodePort|K8sDatapathServicesTest Checks N/S loadbalancing Tests security|K8sDatapathServicesTest Checks N/S loadbalancing Tests with direct|K8sDatapathServicesTest Checks N/S loadbalancing Tests with secondary|K8sDatapathServicesTest Checks N/S loadbalancing with"
+    cliFocus: "K8sDatapathServicesTest Checks N/S loadbalancing Tests externalIPs|K8sDatapathServicesTest Checks N/S loadbalancing Tests GH|K8sDatapathServicesTest Checks N/S loadbalancing Tests NodePort|K8sDatapathServicesTest Checks N/S loadbalancing Tests security|K8sDatapathServicesTest Checks N/S loadbalancing Tests with direct|K8sDatapathServicesTest Checks N/S loadbalancing with"
 
   ###
   # K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, DSR and Maglev

.github/ariane-config.yaml

@@ -42,6 +42,15 @@ triggers:
   /ci-gke:
     workflows:
     - conformance-gke.yaml
+  /ci-ingress:
+    workflows:
+    - conformance-ingress.yaml
+  /ci-integration:
+    workflows:
+    - integration-test.yaml
+  /ci-runtime:
+    workflows:
+    - conformance-runtime.yaml
   /ci-verifier:
     workflows:
     - tests-datapath-verifier.yaml

.github/workflows/conformance-aks.yaml

@@ -215,7 +215,7 @@ jobs:
             --name ${{ env.name }}
 
       - name: Wait for images to be available
-        timeout-minutes: 10
+        timeout-minutes: 30
         shell: bash
         run: |
           for image in cilium-ci operator-azure-ci hubble-relay-ci ; do

.github/workflows/conformance-aws-cni.yaml

@@ -215,7 +215,7 @@ jobs:
           kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/release-1.11/config/master/aws-k8s-cni.yaml
 
       - name: Wait for images to be available
-        timeout-minutes: 10
+        timeout-minutes: 30
         shell: bash
         run: |
           for image in cilium-ci operator-generic-ci hubble-relay-ci ; do

.github/workflows/conformance-clustermesh.yaml

@@ -350,7 +350,7 @@ jobs:
           kubectl --context ${{ env.contextName2 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH"
 
       - name: Wait for images to be available
-        timeout-minutes: 10
+        timeout-minutes: 30
         shell: bash
         run: |
           for image in cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci ; do

.github/workflows/conformance-e2e.yaml

@@ -105,6 +105,8 @@ jobs:
             kernel: '5.10-20230824.161940'
             kube-proxy: 'iptables'
             kpr: 'true'
+            devices: '{eth0,eth1}'
+            secondary-network: 'true'
             tunnel: 'vxlan'
             lb-mode: 'snat'
             endpoint-routes: 'true'
@@ -115,6 +117,8 @@ jobs:
             kernel: '5.15-20230824.161940'
             kube-proxy: 'iptables'
             kpr: 'true'
+            devices: '{eth0,eth1}'
+            secondary-network: 'true'
             tunnel: 'disabled'
             lb-mode: 'dsr'
             endpoint-routes: 'true'
@@ -137,6 +141,8 @@ jobs:
             kernel: 'bpf-next-20230420.212204'
             kube-proxy: 'none'
             kpr: 'true'
+            devices: '{eth0,eth1}'
+            secondary-network: 'true'
             tunnel: 'disabled'
             lb-mode: 'snat'
             egress-gateway: 'true'
@@ -183,6 +189,8 @@ jobs:
             kernel: '5.10-20230824.161940'
             kube-proxy: 'iptables'
             kpr: 'true'
+            devices: '{eth0,eth1}'
+            secondary-network: 'true'
             tunnel: 'vxlan'
             encryption: 'wireguard'
             encryption-node: 'false'
@@ -195,6 +203,8 @@ jobs:
             kernel: '5.15-20230824.161940'
             kube-proxy: 'iptables'
             kpr: 'true'
+            devices: '{eth0,eth1}'
+            secondary-network: 'true'
             tunnel: 'disabled'
             encryption: 'wireguard'
             encryption-node: 'false'
@@ -207,6 +217,8 @@ jobs:
             kernel: '6.0-20230824.161940'
             kube-proxy: 'none'
             kpr: 'true'
+            devices: '{eth0,eth1}'
+            secondary-network: 'true'
             tunnel: 'vxlan'
             encryption: 'wireguard'
             encryption-node: 'true'
@@ -218,6 +230,8 @@ jobs:
             kernel: 'bpf-next-20230420.212204'
             kube-proxy: 'none'
             kpr: 'true'
+            devices: '{eth0,eth1}'
+            secondary-network: 'true'
             tunnel: 'disabled'
             encryption: 'wireguard'
             encryption-node: 'true'
@@ -262,6 +276,7 @@ jobs:
           image-tag: ${{ steps.vars.outputs.sha }}
           chart-dir: './install/kubernetes/cilium'
           tunnel: ${{ matrix.tunnel }}
+          devices: ${{ matrix.devices }}
           endpoint-routes: ${{ matrix.endpoint-routes }}
           ipv6: ${{ matrix.ipv6 }}
           kpr: ${{ matrix.kpr }}
@@ -320,7 +335,7 @@ jobs:
             fi
 
       - name: Wait for images to be available
-        timeout-minutes: 10
+        timeout-minutes: 30
         shell: bash
         run: |
           for image in cilium-ci operator-generic-ci hubble-relay-ci ; do
@@ -352,11 +367,17 @@ jobs:
           cmd: |
             cd /host/
 
+            EXTRA=""
+            if [ "${{ matrix.secondary-network }}" = "true" ]; then
+              EXTRA="--secondary-network-iface=eth1"
+            fi
+
             ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \
               --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \
               --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-<ts>" \
               --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \
-              --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})"
+              --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \
+              \$EXTRA
 
             ./contrib/scripts/kind-down.sh
 

.github/workflows/conformance-eks.yaml

@@ -208,7 +208,7 @@ jobs:
           kubectl -n kube-system delete daemonset aws-node
 
       - name: Wait for images to be available
-        timeout-minutes: 10
+        timeout-minutes: 30
         shell: bash
         run: |
           for image in cilium-ci operator-aws-ci hubble-relay-ci ; do

.github/workflows/conformance-externalworkloads.yaml

@@ -247,7 +247,7 @@ jobs:
           gcloud container clusters get-credentials ${{ env.clusterName }} --zone ${{ matrix.zone }}
 
       - name: Wait for images to be available
-        timeout-minutes: 10
+        timeout-minutes: 30
         shell: bash
         run: |
           for image in cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci ; do

.github/workflows/conformance-ginkgo.yaml

@@ -164,7 +164,7 @@ jobs:
         uses: ./.github/actions/set-env-variables
 
       - name: Wait for images to be available
-        timeout-minutes: 10
+        timeout-minutes: 30
         shell: bash
         run: |
           for image in cilium-ci operator-generic-ci hubble-relay-ci ; do

.github/workflows/conformance-gke.yaml

@@ -231,7 +231,7 @@ jobs:
           gcloud container clusters get-credentials ${{ env.clusterName }}-${{ matrix.config.index }} --zone ${{ matrix.k8s.zone }}
 
       - name: Wait for images to be available
-        timeout-minutes: 10
+        timeout-minutes: 30
         shell: bash
         run: |
           for image in cilium-ci operator-generic-ci hubble-relay-ci ; do

.github/workflows/conformance-ingress.yaml

@@ -1,4 +1,4 @@
-name: Conformance Ingress
+name: Conformance Ingress (ci-ingress)
 
 # Any change in triggers needs to be reflected in the concurrency group.
 on: