cilium · julianwiedmann · Sep 13, 2023 · Jul 10, 2023 · Aug 24, 2023 · Sep 1, 2023
@@ -5,6 +5,7 @@ triggers:
     - conformance-aws-cni.yaml
     - conformance-clustermesh.yaml
     - conformance-e2e.yaml
+    - conformance-ipsec-e2e.yaml
     - conformance-eks.yaml
     - conformance-externalworkloads.yaml
     - conformance-gateway-api.yaml
@@ -30,6 +31,9 @@ triggers:
   /ci-ipsec-upgrade:
     workflows:
     - tests-ipsec-upgrade.yaml
+  /ci-ipsec-e2e:
+    workflows:
+    - conformance-ipsec-e2e.yaml
   /ci-eks:
     workflows:
     - conformance-eks.yaml
@@ -67,6 +71,8 @@ workflows:
     paths-ignore-regex: (test|Documentation)/
   conformance-e2e.yaml:
     paths-ignore-regex: (test|Documentation)/
+  conformance-ipsec-e2e.yaml:
+    paths-ignore-regex: (test|Documentation)/
   conformance-eks.yaml:
     paths-ignore-regex: (test|Documentation)/
   conformance-externalworkloads.yaml:

@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set initial commit status
-        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0  
+        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
         with:
           sha: ${{ inputs.SHA || github.sha }}
 
@@ -157,34 +157,6 @@ jobs:
             endpoint-routes: 'true'
 
           - name: '9'
-            # renovate: datasource=docker depName=quay.io/lvh-images/kind
-            kernel: '4.19-20230905.214457'
-            kube-proxy: 'iptables'
-            kpr: 'false'
-            tunnel: 'vxlan'
-            encryption: 'ipsec'
-            encryption-node: 'false'
-
-          - name: '10'
-            # renovate: datasource=docker depName=quay.io/lvh-images/kind
-            kernel: '5.4-20230905.214457'
-            kube-proxy: 'iptables'
-            kpr: 'false'
-            tunnel: 'disabled'
-            encryption: 'ipsec'
-            encryption-node: 'false'
-
-          - name: '11'
-            # renovate: datasource=docker depName=quay.io/lvh-images/kind
-            kernel: '5.10-20230905.214457'
-            kube-proxy: 'iptables'
-            kpr: 'false'
-            tunnel: 'disabled'
-            encryption: 'ipsec'
-            encryption-node: 'false'
-            endpoint-routes: 'true'
-
-          - name: '12'
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
             kernel: '5.10-20230905.214457'
             kube-proxy: 'iptables'
@@ -198,7 +170,7 @@ jobs:
             endpoint-routes: 'true'
             egress-gateway: 'true'
 
-          - name: '13'
+          - name: '10'
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
             kernel: '5.15-20230905.214457'
             kube-proxy: 'iptables'
@@ -212,7 +184,7 @@ jobs:
             endpoint-routes: 'true'
             egress-gateway: 'true'
 
-          - name: '14'
+          - name: '11'
             # renovate: datasource=docker depName=quay.io/lvh-images/kind
             kernel: '6.0-20230905.214457'
             kube-proxy: 'none'
@@ -225,7 +197,7 @@ jobs:
             lb-mode: 'snat'
             egress-gateway: 'true'
 
-          - name: '15'
+          - name: '12'
             # We don't want to update bpf-next after branching
             kernel: 'bpf-next-20230420.212204'
             kube-proxy: 'none'
@@ -238,16 +210,6 @@ jobs:
             lb-mode: 'snat'
             egress-gateway: 'true'
 
-          - name: '16'
-            # We don't want to update bpf-next after branching
-            kernel: 'bpf-next-20230420.212204'
-            kube-proxy: 'iptables'
-            kpr: 'false'
-            tunnel: 'geneve'
-            encryption: 'ipsec'
-            encryption-node: 'false'
-            endpoint-routes: 'true'
-
     timeout-minutes: 60
     steps:
       - name: Checkout context ref (trusted)
@@ -329,10 +291,6 @@ jobs:
             ./contrib/scripts/kind.sh --xdp --secondary-network "" 3 "" "" "${{ matrix.kube-proxy }}" \$IP_FAM
 
             kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]'
-            if [ "${{ matrix.encryption }}" == "ipsec" ]; then
-              kubectl create -n kube-system secret generic cilium-ipsec-keys \
-                --from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128"
-            fi
 
       - name: Wait for images to be available
         timeout-minutes: 30
@@ -422,7 +380,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set final commit status
-        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0  
+        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
         with:
           sha: ${{ inputs.SHA || github.sha }}
           status: ${{ needs.setup-and-test.result }}
@@ -282,7 +282,8 @@ jobs:
               --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \
               --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-<ts>" \
               --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \
-              --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})"
+              --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \
+              --flush-ct
 
       - name: Rotate IPsec Key & Test (${{ join(matrix.*, ', ') }})
         uses: cilium/cilium/.github/actions/conn-disrupt-test@824192af1ce1672a749a831dd151b3efe92d028a

@@ -261,11 +261,14 @@ jobs:
             # interruption in such flows.
             ./cilium-cli connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup
 
-      - name: Upgrade Cilium (${{ matrix.name }})
-        uses: cilium/little-vm-helper@908ab1ff8a596a03cd5221a1f8602dc44c3f906d # v0.0.12
+      - name: Upgrade Cilium & Test (${{ matrix.name }})
+        uses: cilium/cilium/.github/actions/conn-disrupt-test@48023b9f6df4fffa80162f418ae2344d33e36b11
         with:
-          provision: 'false'
-          cmd: |
+          job-name: ipsec-upgrade-${{ matrix.name }}
+          # Disable no-missed-tail-calls due to https://github.com/cilium/cilium/issues/26739
+          # Disable check-log-errors due to https://github.com/cilium/cilium-cli/issues/1858
+          extra-connectivity-test-flags: --test '!no-missed-tail-calls,!check-log-errors'
+          operation-cmd: |
             cd /host/
 
             CILIUM_CLI_MODE=helm ./cilium-cli upgrade \
@@ -275,32 +278,14 @@ jobs:
             kubectl get pods --all-namespaces -o wide
             kubectl -n kube-system exec daemonset/cilium -- cilium status
 
-      - name: Test Cilium after upgrade (${{ matrix.name }})
-        uses: cilium/little-vm-helper@908ab1ff8a596a03cd5221a1f8602dc44c3f906d # v0.0.12
-        with:
-          provision: 'false'
-          cmd: |
-            cd /host/
-
-            # Disable no-missed-tail-calls due to https://github.com/cilium/cilium/issues/26739
-            # Disable check-log-errors due to https://github.com/cilium/cilium-cli/issues/1858
-            ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \
-              --include-conn-disrupt-test \
-              --test '!no-missed-tail-calls,!check-log-errors' \
-              --flush-ct \
-              --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \
-              --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-<ts>" \
-              --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \
-              --junit-property github_job_step="Run tests upgrade 2 (${{ join(matrix.*, ', ') }})"
-
-            # --flush-ct interrupts the flows, so we need to set up again.
-            ./cilium-cli connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup
-
-      - name: Downgrade Cilium ${{ env.cilium_stable_version }} (${{ matrix.name }})
-        uses: cilium/little-vm-helper@908ab1ff8a596a03cd5221a1f8602dc44c3f906d # v0.0.12
+      - name: Downgrade Cilium to ${{ env.cilium_stable_version }} & Test (${{ matrix.name }})
+        uses: cilium/cilium/.github/actions/conn-disrupt-test@48023b9f6df4fffa80162f418ae2344d33e36b11
         with:
-          provision: 'false'
-          cmd: |
+          job-name: ipsec-downgrade-${{ matrix.name }}
+          # Disable no-missed-tail-calls due to https://github.com/cilium/cilium/issues/26739
+          # Disable check-log-errors due to https://github.com/cilium/cilium-cli/issues/1858
+          extra-connectivity-test-flags: --test '!no-missed-tail-calls,!check-log-errors'
+          operation-cmd: |
             cd /host/
 
             CILIUM_CLI_MODE=helm ./cilium-cli upgrade \
@@ -310,22 +295,6 @@ jobs:
             kubectl get pods --all-namespaces -o wide
             kubectl -n kube-system exec daemonset/cilium -- cilium status
 
-      - name: Test Cilium after downgrade to ${{ env.cilium_stable_version }} (${{ matrix.name }})
-        uses: cilium/little-vm-helper@908ab1ff8a596a03cd5221a1f8602dc44c3f906d # v0.0.12
-        with:
-          provision: 'false'
-          cmd: |
-            cd /host/
-
-            ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \
-              --include-conn-disrupt-test \
-              --test '!no-missed-tail-calls,!check-log-errors' \
-              --flush-ct \
-              --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \
-              --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-<ts>" \
-              --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \
-              --junit-property github_job_step="Run tests upgrade 3 (${{ join(matrix.*, ', ') }})"
-
       - name: Fetch artifacts
         if: ${{ !success() }}
         uses: cilium/little-vm-helper@908ab1ff8a596a03cd5221a1f8602dc44c3f906d # v0.0.12