From cf9e02209efebb9709098a495f1815c314b5d6b8 Mon Sep 17 00:00:00 2001 From: jiezhao16 Date: Fri, 24 Apr 2026 11:33:18 -0400 Subject: [PATCH 1/6] Fix Cilium TEST_SKIPS for 4.22 conformance job --- ...ft-hypershift-release-4.22__periodics.yaml | 32 +++--- .../cilium/dump-debug/OWNERS | 4 + ...ift-extended-cilium-dump-debug-commands.sh | 17 +++ ...tended-cilium-dump-debug-ref.metadata.json | 11 ++ ...rshift-extended-cilium-dump-debug-ref.yaml | 10 ++ .../cilium/network-policies/OWNERS | 4 + ...tended-cilium-network-policies-commands.sh | 104 ++++++++++++++++++ ...-cilium-network-policies-ref.metadata.json | 11 ++ ...-extended-cilium-network-policies-ref.yaml | 10 ++ ...shift-aws-conformance-cilium-workflow.yaml | 13 ++- 10 files changed, 200 insertions(+), 16 deletions(-) create mode 100644 ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/OWNERS create mode 100644 ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-commands.sh create mode 100644 ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.metadata.json create mode 100644 ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.yaml create mode 100644 ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/OWNERS create mode 100644 ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh create mode 100644 ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.metadata.json create mode 100644 ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.yaml diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml index 9985db9ceddd8..bfa59de65e8d2 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml @@ -178,21 +178,23 @@ tests: cluster_profile: hypershift-aws env: TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\] \[Suite:openshift/conformance/parallel\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should ensure - an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Services should serve - endpoints on same port and different protocols \[Conformance\] \[Suite:openshift/conformance/parallel/minimal\] - \[Suite:k8s\]\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block \[Feature:NetworkPolicy\] - \[Suite:openshift/conformance/parallel\] \[Suite:k8s\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with UDP \[Suite:openshift/conformance/parallel\]\| Unidling with - Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully - idled) \[Suite:openshift/conformance/parallel\]\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled) \[Suite:openshift/conformance/parallel\]\| - Unidling with Deployments \[apigroup:route.openshift.io\] should work with - UDP \[Suite:openshift/conformance/parallel\]\| DNS should answer queries using - the local DNS endpoint \[Suite:openshift/conformance/parallel\] + access to server in CIDR block \[Feature:NetworkPolicy\]\| Netpol NetworkPolicy + between server and client should ensure an IP overlapping both IPBlock.CIDR + and IPBlock.Except is allowed \[Feature:NetworkPolicy\]\| Services should + serve endpoints on same port and different protocols \[Conformance\]\| Netpol + NetworkPolicy between server and client should enforce except clause while + egress access to server in CIDR block \[Feature:NetworkPolicy\]\| Unidling + \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work + with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should + work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] + should work with UDP\| DNS should answer queries using the local DNS endpoint\| + Ensure HTTPRoute object is created\| loadbalancer CLB should be reachable + with default configurations\| loadbalancer CLB internal should be reachable + with hairpinning traffic\| loadbalancer NLB internal should be reachable with + hairpinning traffic\| loadbalancer NLB should be reachable with target-node-labels\| + Critical-CCO-based flow for olm managed operators and AWS STS\| NonHyperShiftHOST-High-CCO + metrics endpoint validation workflow: hypershift-aws-conformance-cilium - as: e2e-aws-external-oidc minimum_interval: 12h diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/OWNERS b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/OWNERS new file mode 100644 index 0000000000000..16eacd5181c60 --- /dev/null +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/OWNERS @@ -0,0 +1,4 @@ +approvers: + - mgencur +reviewers: + - mgencur diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-commands.sh new file mode 100644 index 0000000000000..442760262c128 --- /dev/null +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-commands.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +set -xuo pipefail +export KUBECONFIG=${SHARED_DIR}/nested_kubeconfig +mkdir -p ${ARTIFACT_DIR}/cilium-debug + +oc get ciliumclusterwidenetworkpolicy -A -o yaml > ${ARTIFACT_DIR}/cilium-debug/ciliumclusterwidenetworkpolicies.yaml 2>&1 || true +oc get ciliumendpoint -A > ${ARTIFACT_DIR}/cilium-debug/ciliumendpoints.txt 2>&1 || true +oc get ciliumconfig -n cilium -o yaml > ${ARTIFACT_DIR}/cilium-debug/ciliumconfig.yaml 2>&1 || true + +CILIUM_POD=$(oc get pods -n cilium -l k8s-app=cilium -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) || true +if [[ -n "${CILIUM_POD}" ]]; then + oc exec -n cilium ${CILIUM_POD} -- cilium status > ${ARTIFACT_DIR}/cilium-debug/cilium-status.txt 2>&1 || true + oc exec -n cilium ${CILIUM_POD} -- cilium service list > ${ARTIFACT_DIR}/cilium-debug/cilium-service-list.txt 2>&1 || true + oc exec -n cilium ${CILIUM_POD} -- cilium bpf lb list > ${ARTIFACT_DIR}/cilium-debug/cilium-bpf-lb-list.txt 2>&1 || true + oc exec -n cilium ${CILIUM_POD} -- cilium config > ${ARTIFACT_DIR}/cilium-debug/cilium-config.txt 2>&1 || true +fi diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.metadata.json b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.metadata.json new file mode 100644 index 0000000000000..83a64cf0c5a1e --- /dev/null +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.metadata.json @@ -0,0 +1,11 @@ +{ + "path": "cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.yaml", + "owners": { + "approvers": [ + "mgencur" + ], + "reviewers": [ + "mgencur" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.yaml b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.yaml new file mode 100644 index 0000000000000..04e5ebfdb09e3 --- /dev/null +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/dump-debug/cucushift-hypershift-extended-cilium-dump-debug-ref.yaml @@ -0,0 +1,10 @@ +ref: + as: cucushift-hypershift-extended-cilium-dump-debug + from: cli + commands: cucushift-hypershift-extended-cilium-dump-debug-commands.sh + grace_period: 1m0s + resources: + requests: + cpu: 100m + memory: 100Mi + timeout: 5m0s diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/OWNERS b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/OWNERS new file mode 100644 index 0000000000000..16eacd5181c60 --- /dev/null +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/OWNERS @@ -0,0 +1,4 @@ +approvers: + - mgencur +reviewers: + - mgencur diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh new file mode 100644 index 0000000000000..359c882595eea --- /dev/null +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +set -euxo pipefail + +if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then + source "${SHARED_DIR}/proxy-conf.sh" +fi + +if [[ -f "${SHARED_DIR}/nested_kubeconfig" ]]; then + export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig" +fi + +echo "Applying four additional NetworkPolicies for Cilium compatibility (OCPBUGS-84104)" +echo "OCP 4.22+ adds deny-all NetworkPolicies in openshift-monitoring and openshift-ingress." +echo "Existing allow policies use named ports, which Cilium does not resolve (cilium/cilium#30003)." +echo "These four additional policies restore the required traffic paths using numeric ports as a workaround." + +# Allow test access to Prometheus web API (ports 9090, 9091) +oc apply -f - <<'EOF' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-test-access-prometheus-cilium + namespace: openshift-monitoring +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ingress: + - ports: + - port: 9090 + protocol: TCP + - port: 9091 + protocol: TCP + policyTypes: + - Ingress +EOF + +# Allow test access to Thanos Querier (ports 9091, 9092) +oc apply -f - <<'EOF' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-test-access-thanos-cilium + namespace: openshift-monitoring +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: thanos-query + ingress: + - ports: + - port: 9091 + protocol: TCP + - port: 9092 + protocol: TCP + policyTypes: + - Ingress +EOF + +# Allow test access to Alertmanager (ports 9093, 9094) +oc apply -f - <<'EOF' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-test-access-alertmanager-cilium + namespace: openshift-monitoring +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + ingress: + - ports: + - port: 9093 + protocol: TCP + - port: 9094 + protocol: TCP + policyTypes: + - Ingress +EOF + +# Allow monitoring to scrape router metrics (port 1936) +oc apply -f - <<'EOF' +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-monitoring-scrape-router-cilium + namespace: openshift-ingress +spec: + podSelector: + matchLabels: + ingresscontroller.operator.openshift.io/deployment-ingresscontroller: default + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-monitoring + ports: + - port: 1936 + protocol: TCP + policyTypes: + - Ingress +EOF + +echo "Cilium NetworkPolicy workarounds applied successfully" diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.metadata.json b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.metadata.json new file mode 100644 index 0000000000000..a4710997c7d94 --- /dev/null +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.metadata.json @@ -0,0 +1,11 @@ +{ + "path": "cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.yaml", + "owners": { + "approvers": [ + "mgencur" + ], + "reviewers": [ + "mgencur" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.yaml b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.yaml new file mode 100644 index 0000000000000..ba2a9e0567193 --- /dev/null +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-ref.yaml @@ -0,0 +1,10 @@ +ref: + as: cucushift-hypershift-extended-cilium-network-policies + from: cli + commands: cucushift-hypershift-extended-cilium-network-policies-commands.sh + grace_period: 1m0s + resources: + requests: + cpu: 100m + memory: 100Mi + timeout: 5m0s diff --git a/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml index a9617816b89d2..fc5f696e2bbb6 100644 --- a/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/aws/conformance-cilium/hypershift-aws-conformance-cilium-workflow.yaml @@ -26,6 +26,9 @@ workflow: env: HYPERSHIFT_NETWORK_TYPE: "Other" # Required for Cilium. TEST_ARGS: --disable-monitor=service-type-load-balancer-availability + # CLB tests: health check port 10256 unavailable with Cilium (OCPBUGS-62226) + # NLB tests: DNS resolution failure for VPC endpoints in HyperShift (OCPBUGS-74537) + # CCO tests: broken test binary missing testdata/credentials_request.yaml (OCPBUGS-84630) TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress access to server in CIDR block \[Feature:NetworkPolicy\]\| Netpol NetworkPolicy between server and client should ensure an IP @@ -41,10 +44,17 @@ workflow: should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] should work with UDP\| DNS should answer queries using the local DNS endpoint\| - Ensure HTTPRoute object is created + Ensure HTTPRoute object is created\| + loadbalancer CLB should be reachable with default configurations\| + loadbalancer CLB internal should be reachable with hairpinning traffic\| + loadbalancer NLB internal should be reachable with hairpinning traffic\| + loadbalancer NLB should be reachable with target-node-labels\| + Critical-CCO-based flow for olm managed operators and AWS STS\| + NonHyperShiftHOST-High-CCO metrics endpoint validation post: - chain: hypershift-dump - chain: gather + - ref: cucushift-hypershift-extended-cilium-dump-debug - chain: hypershift-aws-destroy - chain: hypershift-destroy-nested-management-cluster test: @@ -56,3 +66,4 @@ workflow: - chain: hypershift-aws-create - ref: cucushift-hypershift-extended-cilium - ref: cucushift-hypershift-extended-cilium-health-check + - ref: cucushift-hypershift-extended-cilium-network-policies From 8ce2e63265d66948aeb86b165807f2db9e081f51 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Tue, 12 May 2026 10:08:50 +0200 Subject: [PATCH 2/6] ci(cilium): migrate Cilium installation from OLM manifests to Cilium CLI Replace the deprecated isovalent/olm-for-cilium manifest-based installation with the official Cilium CLI in both cilium-conf and cucushift-hypershift-extended-cilium steps. Bump Cilium from 1.13.9/1.15.1 to 1.19.1 and add CILIUM_CLI_VERSION env var (v0.19.2). Co-Authored-By: Claude Opus 4.6 --- ...ft-hypershift-release-4.22__periodics.yaml | 19 ---- .../cilium/conf/cilium-conf-commands.sh | 85 +++++++---------- .../cilium/conf/cilium-conf-ref.yaml | 10 +- ...ift-hypershift-extended-cilium-commands.sh | 95 ++++++------------- ...ushift-hypershift-extended-cilium-ref.yaml | 8 +- ...t-extended-cilium-health-check-commands.sh | 6 +- ...tended-cilium-network-policies-commands.sh | 26 +++++ ...-ovn-hypershift-guest-cilium-workflow.yaml | 1 + ...shift-aws-conformance-cilium-workflow.yaml | 8 +- .../create/hypershift-aws-create-chain.yaml | 8 ++ .../create/hypershift-azure-create-chain.yaml | 10 +- ...remetalds-conformance-cilium-workflow.yaml | 1 + ...-mce-agent-metal3-create-cilium-chain.yaml | 1 + 13 files changed, 128 insertions(+), 150 deletions(-) diff --git a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml index bfa59de65e8d2..a7c2078d2ee13 100644 --- a/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml +++ b/ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.22__periodics.yaml @@ -176,25 +176,6 @@ tests: minimum_interval: 168h steps: cluster_profile: hypershift-aws - env: - TEST_SKIPS: Netpol NetworkPolicy between server and client should allow egress - access to server in CIDR block \[Feature:NetworkPolicy\]\| Netpol NetworkPolicy - between server and client should ensure an IP overlapping both IPBlock.CIDR - and IPBlock.Except is allowed \[Feature:NetworkPolicy\]\| Services should - serve endpoints on same port and different protocols \[Conformance\]\| Netpol - NetworkPolicy between server and client should enforce except clause while - egress access to server in CIDR block \[Feature:NetworkPolicy\]\| Unidling - \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work - with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should - work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] - should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\] - should work with UDP\| DNS should answer queries using the local DNS endpoint\| - Ensure HTTPRoute object is created\| loadbalancer CLB should be reachable - with default configurations\| loadbalancer CLB internal should be reachable - with hairpinning traffic\| loadbalancer NLB internal should be reachable with - hairpinning traffic\| loadbalancer NLB should be reachable with target-node-labels\| - Critical-CCO-based flow for olm managed operators and AWS STS\| NonHyperShiftHOST-High-CCO - metrics endpoint validation workflow: hypershift-aws-conformance-cilium - as: e2e-aws-external-oidc minimum_interval: 12h diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh index 32dde33e7e6ff..0f2bb8fb8508a 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh @@ -5,8 +5,8 @@ set -o errexit set -o pipefail set -x -cilium_olm_rev="main" -cv="$CILIUM_VERSION" +CILIUM_VERSION=${CILIUM_VERSION:-"1.19.1"} +CILIUM_CLI_VERSION=${CILIUM_CLI_VERSION:-"0.19.2"} if [[ -f "${SHARED_DIR}/install-config.yaml" ]]; then sed -i "s/networkType: .*/networkType: Cilium/" "${SHARED_DIR}/install-config.yaml" @@ -26,53 +26,36 @@ spec: - 172.30.0.0/16 EOF -# OLD -- Include all Cilium OLM manifest from https://github.com/cilium/cilium-olm/tree/${cilium_olm_rev}/manifests/cilium.v${cv} -# New -- Migrating to new OLM ( https://github.com/isovalent/olm-for-cilium ) - -OLM_URL="https://github.com/isovalent/olm-for-cilium" - -curl --silent --location --fail --show-error "${OLM_URL}/archive/${cilium_olm_rev}.tar.gz" --output /tmp/cilium-olm.tgz -tar -C /tmp -xf /tmp/cilium-olm.tgz +export KUBECONFIG="${SHARED_DIR}/kubeconfig" +if [[ -f "${SHARED_DIR}/nested_kubeconfig" ]]; then + export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig" +fi -cd "/tmp/olm-for-cilium-${cilium_olm_rev}/manifests/cilium.v${cv}" -# Overwrite the CiliumConfig -cat > cluster-network-07-cilium-ciliumconfig.yaml << EOF -apiVersion: cilium.io/v1alpha1 -kind: CiliumConfig -metadata: - name: cilium - namespace: cilium -spec: - cni: - binPath: /var/lib/cni/bin - confPath: /var/run/multus/cni/net.d - endpointRoutes: - enabled: ${ENDPOINT_ROUTES} - hubble: - enabled: ${HUBBLE} - ipam: - mode: cluster-pool - operator: - clusterPoolIPv4MaskSize: "23" - clusterPoolIPv4PodCIDRList: - - 10.128.0.0/14 - kubeProxyReplacement: disabled - nativeRoutingCIDR: 10.128.0.0/14 - operator: - prometheus: - enabled: true - serviceMonitor: - enabled: true - prometheus: - enabled: true - serviceMonitor: - enabled: true - securityContext: - privileged: true - sessionAffinity: true - clusterHealthPort: 9940 - tunnelPort: 4789 -EOF -for manifest in *.yaml ; do - cp "${manifest}" "${SHARED_DIR}/manifest_${manifest}" -done +mkdir -p /tmp/bin +export PATH=/tmp/bin:$PATH +curl --fail --retry 3 -sS -L "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" | tar -xzC /tmp/bin/ +chmod +x /tmp/bin/cilium + +cilium install \ + --namespace cilium \ + --version "${CILIUM_VERSION}" \ + --set debug.enabled=true \ + --set k8s.requireIPv4PodCIDR=true \ + --set logSystemLoad=true \ + --set ipv6.enabled=false \ + --set identityChangeGracePeriod=0s \ + --set ipam.mode=cluster-pool \ + --set "ipam.operator.clusterPoolIPv4PodCIDRList={10.128.0.0/14}" \ + --set ipam.operator.clusterPoolIPv4MaskSize=23 \ + --set ipv4NativeRoutingCIDR=10.128.0.0/14 \ + --set cni.binPath=/var/lib/cni/bin \ + --set cni.confPath=/var/run/multus/cni/net.d \ + --set sessionAffinity=true \ + --set hubble.enabled="${HUBBLE:-true}" \ + --set endpointRoutes.enabled="${ENDPOINT_ROUTES:-true}" \ + --set cni.chainingMode=portmap \ + --set tunnelPort=4789 \ + --set clusterHealthPort=9940 \ + --set socketLB.enabled=true + +cilium status --namespace cilium --wait \ No newline at end of file diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml index 27fbff2ddb506..01cbc9e1a9c87 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml @@ -8,9 +8,13 @@ ref: memory: 100Mi env: - name: CILIUM_VERSION - default: "1.13.9" + default: "1.19.1" documentation: |- - This var will default to 1.13.9, however users can override to a different Cilium version, ensure the manifests exists in the repo. + The Cilium version to install (Helm chart version). + - name: CILIUM_CLI_VERSION + default: "0.19.2" + documentation: |- + The Cilium CLI version to download from GitHub releases. - name: HUBBLE default: "true" documentation: |- @@ -20,4 +24,4 @@ ref: documentation: |- This var will default to true, however users can override to disable endpoint routes. documentation: |- - This steps installs Cilium OLM manifests (https://github.com/cilium/cilium-olm) \ No newline at end of file + This step installs Cilium CNI using the Cilium CLI (https://github.com/cilium/cilium-cli) \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh index fbfb04e177ae4..45133db6696c5 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh @@ -2,6 +2,9 @@ set -xeuo pipefail +CILIUM_VERSION=${CILIUM_VERSION:-"1.19.1"} +CILIUM_CLI_VERSION=${CILIUM_CLI_VERSION:-"0.19.2"} + function set_proxy () { if test -s "${SHARED_DIR}/proxy-conf.sh" ; then echo "setting the proxy" @@ -25,74 +28,38 @@ if [[ -f "${SHARED_DIR}/kubeconfig.kubeadmin" ]]; then export KUBECONFIG="${SHARED_DIR}/kubeconfig.kubeadmin" fi - -cilium_ns=$(oc get ns cilium --ignore-not-found) -if [[ -z "$cilium_ns" ]]; then - oc create ns cilium -fi - -oc label ns cilium security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite - -# apply isovalent cilium CNI -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-03-cilium-ciliumconfigs-crd.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00000-cilium-namespace.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00001-cilium-olm-serviceaccount.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00002-cilium-olm-deployment.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00003-cilium-olm-service.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00004-cilium-olm-leader-election-role.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00005-cilium-olm-role.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00006-leader-election-rolebinding.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00007-cilium-olm-rolebinding.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00008-cilium-cilium-olm-clusterrole.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00009-cilium-cilium-clusterrole.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00010-cilium-cilium-olm-clusterrolebinding.yaml" -oc apply -f "https://raw.githubusercontent.com/isovalent/olm-for-cilium/main/manifests/cilium.v${CILIUM_VERSION}/cluster-network-06-cilium-00011-cilium-cilium-clusterrolebinding.yaml" +mkdir -p /tmp/bin +export PATH=/tmp/bin:$PATH +curl --fail --retry 3 -sS -L "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" | tar -xzC /tmp/bin/ +chmod +x /tmp/bin/cilium PODCIDR=$(oc get network cluster -o jsonpath='{.spec.clusterNetwork[0].cidr}') HOSTPREFIX=$(oc get network cluster -o jsonpath='{.spec.clusterNetwork[0].hostPrefix}') export PODCIDR=$PODCIDR export HOSTPREFIX=$HOSTPREFIX -echo ' -apiVersion: cilium.io/v1alpha1 -kind: CiliumConfig -metadata: - name: cilium - namespace: cilium -spec: - debug: - enabled: true - k8s: - requireIPv4PodCIDR: true - logSystemLoad: true - bpf: - preallocateMaps: true - etcd: - leaseTTL: 30s - ipv4: - enabled: true - ipv6: - enabled: false - identityChangeGracePeriod: 0s - ipam: - mode: "cluster-pool" - operator: - clusterPoolIPv4PodCIDRList: - - "${PODCIDR}" - clusterPoolIPv4MaskSize: "${HOSTPREFIX}" - nativeRoutingCIDR: "${PODCIDR}" - endpointRoutes: {enabled: true} - clusterHealthPort: 9940 - tunnelPort: 4789 - cni: - binPath: "/var/lib/cni/bin" - confPath: "/var/run/multus/cni/net.d" - chainingMode: portmap - prometheus: - serviceMonitor: {enabled: false} - hubble: - tls: {enabled: false} - sessionAffinity: true -' | envsubst > /tmp/ciliumconfig.json +# Note: In order to test with a development version, use: +# --repository oci://quay.io/cilium-charts-dev/cilium --version +# where is a tag from https://quay.io/repository/cilium-charts-dev/cilium +cilium install \ + --namespace cilium \ + --version "${CILIUM_VERSION}" \ + --set debug.enabled=true \ + --set k8s.requireIPv4PodCIDR=true \ + --set logSystemLoad=true \ + --set ipv6.enabled=false \ + --set identityChangeGracePeriod=0s \ + --set ipam.mode=cluster-pool \ + --set "ipam.operator.clusterPoolIPv4PodCIDRList={${PODCIDR}}" \ + --set ipam.operator.clusterPoolIPv4MaskSize=${HOSTPREFIX} \ + --set ipv4NativeRoutingCIDR=${PODCIDR} \ + --set cni.binPath=/var/lib/cni/bin \ + --set cni.confPath=/var/run/multus/cni/net.d \ + --set sessionAffinity=true \ + --set endpointRoutes.enabled="true" \ + --set cni.chainingMode=portmap \ + --set tunnelPort=4789 \ + --set clusterHealthPort=9940 \ + --set socketLB.enabled=true -oc apply -f /tmp/ciliumconfig.json +cilium status --namespace cilium --wait \ No newline at end of file diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml index 1731425ce0463..d9d40ac06ea03 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml @@ -9,10 +9,14 @@ ref: commands: cucushift-hypershift-extended-cilium-commands.sh env: - name: CILIUM_VERSION - default: "1.15.1" + default: "1.19.1" + - name: CILIUM_CLI_VERSION + default: "0.19.2" + documentation: |- + The Cilium CLI version to download from GitHub releases. resources: requests: cpu: 100m memory: 100Mi documentation: |- - install cilium CNI for the hosted cluster. In this case, the HostedCluster.spec.networking.networkType should be Other + This step installs Cilium CNI using the Cilium CLI (https://github.com/cilium/cilium-cli) diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh index e338a25cd5f8a..7fe468197ac50 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh @@ -25,14 +25,12 @@ fi echo "Waiting for the guest cluster to be ready" timeout 30m bash -c "while [[ \$(oc get nodes --no-headers | wc -l) == 0 ]]; do sleep 15; done" -oc wait nodes --all --for=condition=Ready=true --timeout=15m -oc wait clusteroperators --all --for=condition=Available=True --timeout=30m +oc wait nodes --all --for=condition=Ready=true --timeout=30m +oc wait clusteroperators --all --for=condition=Available=True --timeout=45m oc wait clusteroperators --all --for=condition=Progressing=False --timeout=30m oc wait clusteroperators --all --for=condition=Degraded=False --timeout=30m oc wait clusterversion/version --for=condition=Available=True --timeout=30m -oc wait --for=condition=Ready pod -n cilium --all --timeout=5m - echo "Performing Cilium connectivity tests" trap "dump_connectivity_test_namespace; cleanup_connectivity_test" EXIT oc apply -f - < "${SHARED_DIR}/hypershift_create_cluster_render.yaml" exit 0 fi + + # Required for Cilium, see OCPBUGS-85607. + if [[ "$CNI_PROVIDER" == "cilium" ]]; then + COMMAND+=(--annotations=hypershift.openshift.io/aws-load-balancer-health-probe-mode=ServiceNodePort) + fi # Disabling Hosted Cluster capabilities if [[ -n "$HC_DISABLED_CAPS" ]]; then diff --git a/ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml b/ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml index 3bab4e0cf7115..b3a9000686a96 100644 --- a/ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml +++ b/ci-operator/step-registry/hypershift/azure/create/hypershift-azure-create-chain.yaml @@ -147,7 +147,10 @@ chain: documentation: "image generation value" - name: CLI default: "" - documentation: "hcp or hypershift cli path" + documentation: "hcp or hypershift cli path" + - name: CNI_PROVIDER + default: "" + documentation: "The CNI provider to use for the cluster. Supported values: cilium" commands: |- set -exuo pipefail @@ -397,6 +400,11 @@ chain: "${COMMAND[@]}" > "${SHARED_DIR}/hypershift_create_cluster_render.yaml" exit 0 fi + + # Required for Cilium, see OCPBUGS-85607. + if [[ "$CNI_PROVIDER" == "cilium" ]]; then + COMMAND+=(--annotations=hypershift.openshift.io/azure-load-balancer-health-probe-mode=servicenodeport) + fi "${COMMAND[@]}" diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml index d26295fb4f203..17bedd66cc018 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml @@ -28,6 +28,7 @@ workflow: - ref: hypershift-kubevirt-create - ref: hypershift-kubevirt-baremetalds-proxy - ref: cucushift-hypershift-extended-cilium + - ref: cucushift-hypershift-extended-cilium-network-policies - ref: cucushift-hypershift-extended-cilium-health-check env: HYPERSHIFT_NETWORK_TYPE: "Other" # Required for Cilium. diff --git a/ci-operator/step-registry/hypershift/mce/agent/metal3/create/cilium/hypershift-mce-agent-metal3-create-cilium-chain.yaml b/ci-operator/step-registry/hypershift/mce/agent/metal3/create/cilium/hypershift-mce-agent-metal3-create-cilium-chain.yaml index 9d9e5b8f15caf..4167b4964e575 100644 --- a/ci-operator/step-registry/hypershift/mce/agent/metal3/create/cilium/hypershift-mce-agent-metal3-create-cilium-chain.yaml +++ b/ci-operator/step-registry/hypershift/mce/agent/metal3/create/cilium/hypershift-mce-agent-metal3-create-cilium-chain.yaml @@ -7,6 +7,7 @@ chain: - ref: hypershift-mce-agent-create-hostedcluster - ref: hypershift-agent-create-proxy - ref: cucushift-hypershift-extended-cilium + - ref: cucushift-hypershift-extended-cilium-network-policies - ref: hypershift-agent-create-add-worker-metal3 - ref: cucushift-hypershift-extended-enable-qe-catalogsource - ref: hypershift-agent-create-metallb-catalogsource From e0722ede23b6a2a3ea8b1faa0209afc0578a24a1 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 15 May 2026 11:17:19 +0200 Subject: [PATCH 3/6] Return timeouts to previous values --- ...ushift-hypershift-extended-cilium-health-check-commands.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh index 7fe468197ac50..ce9999d060d9e 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/health-check/cucushift-hypershift-extended-cilium-health-check-commands.sh @@ -25,8 +25,8 @@ fi echo "Waiting for the guest cluster to be ready" timeout 30m bash -c "while [[ \$(oc get nodes --no-headers | wc -l) == 0 ]]; do sleep 15; done" -oc wait nodes --all --for=condition=Ready=true --timeout=30m -oc wait clusteroperators --all --for=condition=Available=True --timeout=45m +oc wait nodes --all --for=condition=Ready=true --timeout=15m +oc wait clusteroperators --all --for=condition=Available=True --timeout=30m oc wait clusteroperators --all --for=condition=Progressing=False --timeout=30m oc wait clusteroperators --all --for=condition=Degraded=False --timeout=30m oc wait clusterversion/version --for=condition=Available=True --timeout=30m From ebc8b0949c2560a89f4bbe1266f2bc47d82ec937 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 15 May 2026 11:38:02 +0200 Subject: [PATCH 4/6] Create cilium namespace in advance --- ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh | 2 ++ .../cilium/cucushift-hypershift-extended-cilium-commands.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh index 0f2bb8fb8508a..e4990b783e9e9 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh @@ -36,6 +36,8 @@ export PATH=/tmp/bin:$PATH curl --fail --retry 3 -sS -L "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" | tar -xzC /tmp/bin/ chmod +x /tmp/bin/cilium +oc create ns cilium + cilium install \ --namespace cilium \ --version "${CILIUM_VERSION}" \ diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh index 45133db6696c5..cbddb67de4c43 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh @@ -38,6 +38,8 @@ HOSTPREFIX=$(oc get network cluster -o jsonpath='{.spec.clusterNetwork[0].hostPr export PODCIDR=$PODCIDR export HOSTPREFIX=$HOSTPREFIX +oc create ns cilium + # Note: In order to test with a development version, use: # --repository oci://quay.io/cilium-charts-dev/cilium --version # where is a tag from https://quay.io/repository/cilium-charts-dev/cilium From 4dcbf8d3d7a7af19deb15ad95d34e8b6eefb02ed Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 15 May 2026 12:05:06 +0200 Subject: [PATCH 5/6] Create cilium ns and add SCC --- .../step-registry/cilium/conf/cilium-conf-commands.sh | 5 ++++- .../cilium/cucushift-hypershift-extended-cilium-commands.sh | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh index e4990b783e9e9..0afaa3b33409c 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh @@ -36,7 +36,10 @@ export PATH=/tmp/bin:$PATH curl --fail --retry 3 -sS -L "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" | tar -xzC /tmp/bin/ chmod +x /tmp/bin/cilium -oc create ns cilium +oc get ns cilium || oc create ns cilium +oc adm policy add-scc-to-user privileged -z cilium -n cilium +oc adm policy add-scc-to-user privileged -z cilium-operator -n cilium +oc adm policy add-scc-to-user privileged -z cilium-envoy -n cilium cilium install \ --namespace cilium \ diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh index cbddb67de4c43..636f1ed0c9f23 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh @@ -38,7 +38,10 @@ HOSTPREFIX=$(oc get network cluster -o jsonpath='{.spec.clusterNetwork[0].hostPr export PODCIDR=$PODCIDR export HOSTPREFIX=$HOSTPREFIX -oc create ns cilium +oc get ns cilium || oc create ns cilium +oc adm policy add-scc-to-user privileged -z cilium -n cilium +oc adm policy add-scc-to-user privileged -z cilium-operator -n cilium +oc adm policy add-scc-to-user privileged -z cilium-envoy -n cilium # Note: In order to test with a development version, use: # --repository oci://quay.io/cilium-charts-dev/cilium --version From cdaf5395587ea9aa503dd1bcaf0405ae89b6743c Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 15 May 2026 13:15:25 +0200 Subject: [PATCH 6/6] Fix version check --- ...-hypershift-extended-cilium-network-policies-commands.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh index bac3879df6ecb..dc903afebaf74 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/network-policies/cucushift-hypershift-extended-cilium-network-policies-commands.sh @@ -10,9 +10,9 @@ if [[ -f "${SHARED_DIR}/nested_kubeconfig" ]]; then export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig" fi -OCP_MINOR_VERSION=$(oc version | grep "Server Version" | cut -d '.' -f2) -if [ "$OCP_MINOR_VERSION" -lt 22 ]; then - echo "OCP version 4.${OCP_MINOR_VERSION} is older than 4.22, skipping NetworkPolicy workarounds" +OCP_VERSION=$(oc get clusterversion version -o jsonpath='{.status.desired.version}' | cut -d. -f1-2) +if [ "$OCP_VERSION" != "4.22" ]; then + echo "OCP version ${OCP_VERSION} is not 4.22, skipping NetworkPolicy workarounds" exit 0 fi