From 6bf27192de38132ce960e6f6eabde3bafc6e0419 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Martins?= Date: Thu, 26 Sep 2024 11:57:32 +0200 Subject: [PATCH] test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: André Martins --- .github/workflows/ariane-scheduled.yaml | 63 -- .github/workflows/auto-approve.yaml | 53 -- .github/workflows/auto-labeler.yaml | 86 -- .../workflows/build-images-base-renovate.yaml | 26 - .github/workflows/build-images-base.yaml | 317 ------- .github/workflows/build-images-beta.yaml | 177 ---- .../workflows/build-images-docs-builder.yaml | 183 ---- .github/workflows/build-images-hotfixes.yaml | 166 ---- .github/workflows/build-images-releases.yaml | 213 ----- .../call-backport-label-updater.yaml | 21 - .../workflows/ci-images-garbage-collect.yaml | 26 - .github/workflows/close-stale-issues.yaml | 45 - .github/workflows/conformance-aks.yaml | 394 --------- .github/workflows/conformance-aws-cni.yaml | 419 ---------- .../workflows/conformance-clustermesh.yaml | 667 --------------- .../workflows/conformance-delegated-ipam.yaml | 342 -------- .github/workflows/conformance-eks.yaml | 472 ----------- .../conformance-externalworkloads.yaml | 454 ---------- .../workflows/conformance-gateway-api.yaml | 351 -------- .github/workflows/conformance-ginkgo.yaml | 521 ------------ .github/workflows/conformance-gke.yaml | 403 --------- .github/workflows/conformance-ingress.yaml | 446 ---------- .github/workflows/conformance-ipsec-e2e.yaml | 472 ----------- ...conformance-k8s-kind-network-policies.yaml | 244 ------ .github/workflows/conformance-k8s-kind.yaml | 244 ------ .../conformance-k8s-network-policies.yaml | 156 ---- .../conformance-kind-proxy-embedded.yaml | 150 ---- .github/workflows/conformance-multi-pool.yaml | 291 ------- .github/workflows/conformance-runtime.yaml | 486 ----------- .github/workflows/documentation.yaml | 96 --- .github/workflows/fqdn-perf.yaml | 294 ------- .../hubble-cli-integration-test.yaml | 224 ----- .github/workflows/integration-test.yaml | 167 ---- .github/workflows/lint-bpf-checks.yaml | 120 --- .github/workflows/lint-codeowners.yaml | 129 --- .github/workflows/lint-go.yaml | 143 ---- .github/workflows/lint-images-base.yaml | 44 - .github/workflows/lint-workflows.yaml | 266 ------ .github/workflows/needs-more-info.yaml | 18 - .github/workflows/net-perf-gke.yaml | 356 -------- .github/workflows/push-chart-ci.yaml | 173 ---- .github/workflows/release.yaml | 93 --- .../workflows/renovate-config-validator.yaml | 21 - .github/workflows/renovate.yaml | 48 -- .github/workflows/scale-test-100-gce.yaml | 372 --------- .github/workflows/scale-test-clustermesh.yaml | 411 --------- .../scale-test-node-throughput-gce.yaml | 227 ----- .github/workflows/tests-ces-migrate.yaml | 237 ------ .github/workflows/tests-cifuzz.yaml | 31 - .../workflows/tests-clustermesh-upgrade.yaml | 780 ------------------ .../workflows/tests-datapath-verifier.yaml | 191 ----- .github/workflows/tests-e2e-upgrade.yaml | 679 --------------- .github/workflows/tests-ipsec-upgrade.yaml | 494 ----------- .github/workflows/tests-l4lb.yaml | 152 ---- .github/workflows/tests-smoke-ipv6.yaml | 175 ---- .github/workflows/tests-smoke.yaml | 206 ----- .../workflows/update-label-backport-pr.yaml | 51 -- 57 files changed, 14086 deletions(-) delete mode 100644 .github/workflows/ariane-scheduled.yaml delete mode 100644 .github/workflows/auto-approve.yaml delete mode 100644 .github/workflows/auto-labeler.yaml delete mode 100644 .github/workflows/build-images-base-renovate.yaml delete mode 100644 .github/workflows/build-images-base.yaml delete mode 100644 .github/workflows/build-images-beta.yaml delete mode 100644 .github/workflows/build-images-docs-builder.yaml delete mode 100644 .github/workflows/build-images-hotfixes.yaml delete mode 100644 .github/workflows/build-images-releases.yaml delete mode 100644 .github/workflows/call-backport-label-updater.yaml delete mode 100644 .github/workflows/ci-images-garbage-collect.yaml delete mode 100644 .github/workflows/close-stale-issues.yaml delete mode 100644 .github/workflows/conformance-aks.yaml delete mode 100644 .github/workflows/conformance-aws-cni.yaml delete mode 100644 .github/workflows/conformance-clustermesh.yaml delete mode 100644 .github/workflows/conformance-delegated-ipam.yaml delete mode 100644 .github/workflows/conformance-eks.yaml delete mode 100644 .github/workflows/conformance-externalworkloads.yaml delete mode 100644 .github/workflows/conformance-gateway-api.yaml delete mode 100644 .github/workflows/conformance-ginkgo.yaml delete mode 100644 .github/workflows/conformance-gke.yaml delete mode 100644 .github/workflows/conformance-ingress.yaml delete mode 100644 .github/workflows/conformance-ipsec-e2e.yaml delete mode 100644 .github/workflows/conformance-k8s-kind-network-policies.yaml delete mode 100644 .github/workflows/conformance-k8s-kind.yaml delete mode 100644 .github/workflows/conformance-k8s-network-policies.yaml delete mode 100644 .github/workflows/conformance-kind-proxy-embedded.yaml delete mode 100644 .github/workflows/conformance-multi-pool.yaml delete mode 100644 .github/workflows/conformance-runtime.yaml delete mode 100644 .github/workflows/documentation.yaml delete mode 100644 .github/workflows/fqdn-perf.yaml delete mode 100644 .github/workflows/hubble-cli-integration-test.yaml delete mode 100644 .github/workflows/integration-test.yaml delete mode 100644 .github/workflows/lint-bpf-checks.yaml delete mode 100644 .github/workflows/lint-codeowners.yaml delete mode 100644 .github/workflows/lint-go.yaml delete mode 100644 .github/workflows/lint-images-base.yaml delete mode 100644 .github/workflows/lint-workflows.yaml delete mode 100644 .github/workflows/needs-more-info.yaml delete mode 100644 .github/workflows/net-perf-gke.yaml delete mode 100644 .github/workflows/push-chart-ci.yaml delete mode 100644 .github/workflows/release.yaml delete mode 100644 .github/workflows/renovate-config-validator.yaml delete mode 100644 .github/workflows/renovate.yaml delete mode 100644 .github/workflows/scale-test-100-gce.yaml delete mode 100644 .github/workflows/scale-test-clustermesh.yaml delete mode 100644 .github/workflows/scale-test-node-throughput-gce.yaml delete mode 100644 .github/workflows/tests-ces-migrate.yaml delete mode 100644 .github/workflows/tests-cifuzz.yaml delete mode 100644 .github/workflows/tests-clustermesh-upgrade.yaml delete mode 100644 .github/workflows/tests-datapath-verifier.yaml delete mode 100644 .github/workflows/tests-e2e-upgrade.yaml delete mode 100644 .github/workflows/tests-ipsec-upgrade.yaml delete mode 100644 .github/workflows/tests-l4lb.yaml delete mode 100644 .github/workflows/tests-smoke-ipv6.yaml delete mode 100644 .github/workflows/tests-smoke.yaml delete mode 100644 .github/workflows/update-label-backport-pr.yaml diff --git a/.github/workflows/ariane-scheduled.yaml b/.github/workflows/ariane-scheduled.yaml deleted file mode 100644 index d47674c84c4d0..0000000000000 --- a/.github/workflows/ariane-scheduled.yaml +++ /dev/null @@ -1,63 +0,0 @@ -name: Ariane scheduled workflows - -on: - # Run every 1 hours - # Tests are only run when current hour % 6 corresponds - # to the branch hourModulo value in the matrix - schedule: - - cron: '0 */1 * * *' - - -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To trigger workflows via workflow_dispatch - actions: write - -jobs: - ariane-scheduled: - name: Run Scheduled Workflows - strategy: - fail-fast: false - matrix: - include: - # DON'T USE hourModulo=0 to avoid running ariane scheduled-workflows - # at the same time as regular main scheduled workflows - - branch: '1.14' - hourModulo: 1 - - branch: '1.15' - hourModulo: 2 - - branch: '1.16' - hourModulo: 3 - runs-on: ubuntu-latest - steps: - - name: Checkout branch - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: v${{ matrix.branch }} - persist-credentials: false - - - name: Manually run Ariane workflows from the branch - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - HOUR=$(date -u +"%H") - if (( HOUR % 6 == ${{ matrix.hourModulo }} )); then - echo "Running scheduled workflows for branch ${{ matrix.branch }}" - else - echo "Skipping scheduled workflows for branch ${{ matrix.branch }}" - exit 0 - fi - BRANCH="${{ matrix.branch }}" - REF="v${BRANCH}" - SHA=$(git rev-parse ${REF}) - readarray workflows < <(TRIGGER="/test-backport-${BRANCH}" yq '.triggers[env(TRIGGER)].workflows[]' .github/ariane-config.yaml) - - for workflow in ${workflows[@]}; do - echo triggering ${workflow} - gh workflow run ${workflow} \ - --ref ${REF} \ - -f PR-number=${REF/./-} \ - -f context-ref=${REF} \ - -f SHA=${SHA} - done diff --git a/.github/workflows/auto-approve.yaml b/.github/workflows/auto-approve.yaml deleted file mode 100644 index 0935d722238ca..0000000000000 --- a/.github/workflows/auto-approve.yaml +++ /dev/null @@ -1,53 +0,0 @@ -name: Approve Renovate PR - -on: - pull_request: - types: - - review_requested - -jobs: - pre-approve: - # Avoid running the 'auto-approve' environment if we don't need to. - name: Pre-Approve - runs-on: ubuntu-latest - if: ${{ - github.event.pull_request.user.login == 'cilium-renovate[bot]' && - github.triggering_actor == 'cilium-renovate[bot]' && - github.event.requested_reviewer.login == 'ciliumbot' - }} - steps: - - name: Debug - run: | - echo ${{ github.event.pull_request.user.login }} - echo ${{ github.triggering_actor }} - echo ${{ github.event.requested_reviewer.login }} - - approve: - name: Approve - needs: pre-approve - environment: auto-approve - runs-on: ubuntu-latest - steps: - - name: Debug - run: | - echo ${{ github.event.pull_request.user.login }} - echo ${{ github.triggering_actor }} - echo ${{ github.event.requested_reviewer.login }} - - - name: Approve PR - # Approve the PR if all the following conditions are true: - # - the PR review was requested by renovate bot and - # - the PR was also created by renovate bot - # - the requested reviewer was the trusted 'ciliumbot' - if: ${{ - github.event.pull_request.user.login == 'cilium-renovate[bot]' && - github.triggering_actor == 'cilium-renovate[bot]' && - github.event.requested_reviewer.login == 'ciliumbot' - }} - env: - TOKEN: ${{ secrets.AUTO_APPROVE_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} - PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} - run: | - echo ${TOKEN} | gh auth login --with-token - gh -R ${GITHUB_REPOSITORY} pr review ${PULL_REQUEST_NUMBER} --approve diff --git a/.github/workflows/auto-labeler.yaml b/.github/workflows/auto-labeler.yaml deleted file mode 100644 index ed00604232260..0000000000000 --- a/.github/workflows/auto-labeler.yaml +++ /dev/null @@ -1,86 +0,0 @@ -name: PR and Issues Auto Labeler - -on: - pull_request_target: - types: - - opened - - reopened - -jobs: - external-contributions: - if: | - ( - (github.event.pull_request.author_association != 'OWNER') && - (github.event.pull_request.author_association != 'COLLABORATOR') && - (github.event.pull_request.author_association != 'MEMBER') - ) - runs-on: ubuntu-latest - name: External Contributions - permissions: - pull-requests: write - steps: - # Detect if the secret 'CHECK_TEAM_ORG_APP_ID' is set. If it's not set, don't - # bother running this GH workflow. - - name: Check if CHECK_TEAM_ORG_APP_ID is set in github secrets - id: check_secret - run: | - echo "is_CHECK_TEAM_ORG_APP_ID_set: ${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}" - echo is_CHECK_TEAM_ORG_APP_ID_set="${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}" >> $GITHUB_OUTPUT - - - name: Get token - # Get a token with the read:org permissions so that the GH action - # can read the team membership for a user. We need to do this over a - # GH app because GH actions don't have support for these type of - # permissions. - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }} - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.CHECK_TEAM_ORG_PEM }} - APP_ID: ${{ secrets.CHECK_TEAM_ORG_APP_ID }} - - - name: Check author association - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }} - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - id: author_association - # https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#check-organization-membership-for-a-user - with: - github-token: ${{ steps.get_token.outputs.app_token }} - script: | - try { - const result = await github.rest.orgs.checkMembershipForUser({ - org: "${{ github.repository_owner }}", - username: "${{github.event.pull_request.user.login}}", - }) - return result.status == 204; - } catch { - return false; - } - - - name: Print author association - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }} - run: | - echo author_association_from_event=${{ github.event.pull_request.author_association }} - echo author_association_from_api=${{ steps.author_association.outputs.result }} - - - name: Set label - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' && steps.author_association.outputs.result != 'true' }} - with: - script: | - github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ["kind/community-contribution"] - }) - - auto-labeler: - name: Auto Labeler - permissions: - contents: read - pull-requests: write - runs-on: ubuntu-latest - steps: - - name: Label The PR - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 diff --git a/.github/workflows/build-images-base-renovate.yaml b/.github/workflows/build-images-base-renovate.yaml deleted file mode 100644 index 73fc6b42ffefd..0000000000000 --- a/.github/workflows/build-images-base-renovate.yaml +++ /dev/null @@ -1,26 +0,0 @@ -name: Base Image Release Build - Renovate - -# Any change in triggers needs to be reflected in the concurrency group. -on: - push: - branches: - - "renovate/main-**" - paths: - - images/runtime/** - - images/builder/** - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -jobs: - build-base-images-from-renovate: - name: "Build Base Images From Renovate" - uses: ./.github/workflows/build-images-base.yaml - secrets: inherit - with: - # Build the base images from this environment which is set up specifically - # for renovate. - environment: release-base-images-renovate diff --git a/.github/workflows/build-images-base.yaml b/.github/workflows/build-images-base.yaml deleted file mode 100644 index 2eda18602a585..0000000000000 --- a/.github/workflows/build-images-base.yaml +++ /dev/null @@ -1,317 +0,0 @@ -name: Base Image Release Build - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - paths: - - images/runtime/** - - images/builder/** - # This workflow can be reused so that renovate can execute this workflow_dispatch: - # run from a different environment than 'release-base-images'. See - # build-images-base-renovate.yaml - workflow_call: - secrets: - QUAY_BASE_RELEASE_USERNAME: - required: true - QUAY_BASE_RELEASE_PASSWORD: - required: true - AUTO_COMMITTER_PEM: - required: true - AUTO_COMMITTER_APP_ID: - required: true - inputs: - environment: - required: true - type: string - default: "release-base-images" - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - build-and-push: - # Skip this workflow for branches that are created by renovate and event type is pull_request_target - if: ${{ ! (github.event_name == 'pull_request_target' && startsWith(github.head_ref, 'renovate/')) }} - name: Build and Push Images - timeout-minutes: 45 - environment: ${{ inputs.environment || 'release-base-images' }} - runs-on: ubuntu-22.04 - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Cleanup Disk space in runner - uses: ./.github/actions/disk-cleanup - - - name: Copy scripts to trusted directory - run: | - mkdir -p ../cilium-base-branch/images/runtime/ - cp ./images/runtime/update-cilium-runtime-image.sh ../cilium-base-branch/images/runtime/ - mkdir -p ../cilium-base-branch/images/builder/ - cp ./images/builder/update-cilium-builder-image.sh ../cilium-base-branch/images/builder/ - mkdir -p ../cilium-base-branch/api/v1 - cp ./api/v1/Makefile ../cilium-base-branch/api/v1/ - cp ./Makefile.defs ../cilium-base-branch/Makefile.defs - cp ./Makefile.quiet ../cilium-base-branch/Makefile.quiet - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - - - name: Install Cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set-up git - run: | - git config user.name "Cilium Imagebot" - git config user.email "noreply@cilium.io" - - - name: Generating image tag for Cilium-Runtime - id: runtime-tag - run: | - echo tag="$(git ls-tree --full-tree HEAD -- ./images/runtime | awk '{ print $3 }')" >> $GITHUB_OUTPUT - - - name: Checking if tag for Cilium-Runtime already exists - id: cilium-runtime-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Login to quay.io - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }} - password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }} - - - name: Release build cilium-runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 - id: docker_build_release_runtime - with: - provenance: false - context: ./images/runtime - file: ./images/runtime/Dockerfile - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} - - - name: Sign Container Image Runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }} - - - - name: Generate SBOM - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 - with: - artifact-name: sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json - output-file: ./sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} - - - name: Attach SBOM attestation to container image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign attest -r -y --predicate sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }} - - - name: Image Release Digest Runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - shell: bash - run: | - mkdir -p image-digest/ - echo "## cilium-runtime" > image-digest/cilium-runtime.txt - echo "" >> image-digest/cilium-runtime.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}\`" >> image-digest/cilium-runtime.txt - echo "" >> image-digest/cilium-runtime.txt - - - name: Upload artifact digests runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: image-digest cilium-runtime - path: image-digest - retention-days: 1 - - - name: Update Runtime Image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - ../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}" - git commit -sam "images: update cilium-{runtime,builder}" - - - name: Generating image tag for Cilium-Builder - id: builder-tag - run: | - echo tag="$(git ls-tree --full-tree HEAD -- ./images/builder | awk '{ print $3 }')" >> $GITHUB_OUTPUT - - - name: Checking if tag for Cilium-Builder already exists - id: cilium-builder-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Login to quay.io - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' && steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' }} - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }} - password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }} - - - name: Release build cilium-builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 - id: docker_build_release_builder - with: - provenance: false - context: ./images/builder - file: ./images/builder/Dockerfile - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} - - - name: Sign Container Image Builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }} - - - name: Generate SBOM - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 - with: - artifact-name: sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json - output-file: ./sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} - - - name: Attach SBOM attestation to container image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign attest -r -y --predicate sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }} - - - name: Image Release Digest Builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - shell: bash - run: | - mkdir -p image-digest/ - echo "## cilium-builder" > image-digest/cilium-builder.txt - echo "" >> image-digest/cilium-builder.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}\`" >> image-digest/cilium-builder.txt - echo "" >> image-digest/cilium-builder.txt - - - name: Upload artifact digests builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: image-digest cilium-builder - path: image-digest - retention-days: 1 - - - name: Update Runtime Images - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - ../cilium-base-branch/images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}" - - - name: Update Builder Images - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - ../cilium-base-branch/images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}" - - - name: Update Protobuf APIs - # The builder image contains 'protoc', which can cause autogenerated - # protobuf files to change. Re-generate the API to compensate. - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - env: - CONTAINER_IMAGE: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }} - run: | - export VOLUME=$PWD/api/v1 - make -C ../cilium-base-branch/api/v1 - - - name: Commit changes by amending previous commit - # Run this step in case we have committed the cilium-runtime changes before - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - git commit --amend -sam "images: update cilium-{runtime,builder}" - - - name: Commit changes - # Run this step in case we have NOT committed the cilium-runtime changes before - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' && steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - git commit -sam "images: update cilium-{runtime,builder}" - - - name: Get token - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' || steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }} - APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }} - - - name: Push changes into PR - env: - ref: ${{ github.event.pull_request.head.ref || github.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' || steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - git diff HEAD^ - git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.repository }}.git HEAD:${{ env.ref }} - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: image-digest/ - pattern: "*image-digest *" - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-beta.yaml b/.github/workflows/build-images-beta.yaml deleted file mode 100644 index e634bbdb5916b..0000000000000 --- a/.github/workflows/build-images-beta.yaml +++ /dev/null @@ -1,177 +0,0 @@ -name: Beta Image Release Build - -on: - workflow_dispatch: - inputs: - tag: - description: 'Docker Image Tag' - required: true - suffix: - description: 'Docker Image Suffix (e.g. "beta" -> "cilium-beta")' - required: true - default: "beta" - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - build-and-push: - timeout-minutes: 45 - name: Build and Push Images - environment: release-beta-images - runs-on: ubuntu-22.04 - strategy: - matrix: - include: - - name: cilium - dockerfile: ./images/cilium/Dockerfile - - - name: operator - dockerfile: ./images/operator/Dockerfile - - - name: operator-aws - dockerfile: ./images/operator/Dockerfile - - - name: operator-azure - dockerfile: ./images/operator/Dockerfile - - - name: operator-alibabacloud - dockerfile: ./images/operator/Dockerfile - - - name: operator-generic - dockerfile: ./images/operator/Dockerfile - - - name: hubble-relay - dockerfile: ./images/hubble-relay/Dockerfile - - - name: clustermesh-apiserver - dockerfile: ./images/clustermesh-apiserver/Dockerfile - - - name: docker-plugin - dockerfile: ./images/cilium-docker-plugin/Dockerfile - - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Cleanup Disk space in runner - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - - name: Login to quay.io - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_BETA_USERNAME }} - password: ${{ secrets.QUAY_BETA_PASSWORD }} - - - name: Getting image tag - id: tag - run: | - echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT - - - name: Checking if tag already exists - id: tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} &>/dev/null; then - echo "Tag already exists!" - exit 1 - fi - - - name: Checkout Source Code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 - id: docker_build_release - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Install Cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - - name: Sign Container Image - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }} - - - name: Generate SBOM - uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 - with: - artifact-name: sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx.json - output-file: ./sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} - - - name: Attach SBOM attestation to container image - run: | - cosign attest -r -y --predicate sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }} - - - name: Image Release Digest - shell: bash - run: | - mkdir -p image-digest/ - echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: image-digest ${{ matrix.name }} - path: image-digest - retention-days: 1 - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: image-digest/ - pattern: "*image-digest *" - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-docs-builder.yaml b/.github/workflows/build-images-docs-builder.yaml deleted file mode 100644 index 2e372dd23bf5e..0000000000000 --- a/.github/workflows/build-images-docs-builder.yaml +++ /dev/null @@ -1,183 +0,0 @@ -name: Docs-builder Image Build - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - paths: - - Documentation/Dockerfile - - Documentation/requirements.txt - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -jobs: - build-and-push: - name: Build and Push Image - runs-on: ubuntu-22.04 - timeout-minutes: 30 - environment: docs-builder - outputs: - tag: ${{ steps.docs-builder-tag.outputs.tag }} - digest: ${{ steps.docker-build-docs-builder.outputs.digest }} - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Cleanup Disk space in runner - uses: ./.github/actions/disk-cleanup - - - name: Set environment variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - - - name: Generate image tag for docs-builder - id: docs-builder-tag - run: | - echo tag="$(git ls-tree --full-tree HEAD -- ./Documentation | awk '{ print $3 }')" >> $GITHUB_OUTPUT - - - name: Check if tag for docs-builder already exists - id: docs-builder-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ steps.docs-builder-tag.outputs.tag }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Login to quay.io - if: ${{ steps.docs-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_DOCS_BUILDER_USERNAME }} - password: ${{ secrets.QUAY_DOCS_BUILDER_PASSWORD }} - logout: true - - - name: Build docs-builder image - if: ${{ steps.docs-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 - id: docker-build-docs-builder - with: - provenance: false - context: ./Documentation - file: ./Documentation/Dockerfile - push: true - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ steps.docs-builder-tag.outputs.tag }} - - # Use a separate job for the steps below, to ensure we're no longer logged - # into Quay.io. - update-pr: - name: Update Pull Request with new image reference - needs: build-and-push - if: needs.build-and-push.outputs.digest - runs-on: ubuntu-22.04 - timeout-minutes: 10 - environment: docs-builder - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set environment variables - uses: ./.github/actions/set-env-variables - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set up git - run: | - git config user.name "Cilium Imagebot" - git config user.email "noreply@cilium.io" - - - name: Update docs-builder image reference in CI workflow - run: | - NEW_IMAGE="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ needs.build-and-push.outputs.tag }}@${{ needs.build-and-push.outputs.digest }}" - # Run in Docker to prevent the script from accessing the environment. - docker run --rm -v $PWD:/cilium -w /cilium "${NEW_IMAGE}" \ - bash -c "git config --global --add safe.directory /cilium && \ - /cilium/Documentation/update-docs-builder-image.sh ${NEW_IMAGE}" - git commit -sam "ci: update docs-builder" - - - name: Get token - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }} - APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }} - - - name: Push changes into PR - env: - REF: ${{ github.event.pull_request.head.ref }} - run: | - git diff HEAD^ - git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ github.event.pull_request.head.repo.full_name }}.git HEAD:"$REF" - - image-digest: - name: Retrieve and display image digest - needs: build-and-push - if: needs.build-and-push.outputs.digest - runs-on: ubuntu-22.04 - timeout-minutes: 10 - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set environment variables - uses: ./.github/actions/set-env-variables - - - name: Retrieve image digest - shell: bash - run: | - NEW_IMAGE="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ needs.build-and-push.outputs.tag }}@${{ needs.build-and-push.outputs.digest }}" - mkdir -p image-digest/ - echo "## docs-builder" > image-digest/docs-builder.txt - echo "" >> image-digest/docs-builder.txt - echo "\`${NEW_IMAGE}\`" >> image-digest/docs-builder.txt - echo "" >> image-digest/docs-builder.txt - - - name: Upload artifact digests - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: image-digest docs-builder - path: image-digest - retention-days: 1 - - - name: Output image digest - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-hotfixes.yaml b/.github/workflows/build-images-hotfixes.yaml deleted file mode 100644 index 7c06dae8fe4ce..0000000000000 --- a/.github/workflows/build-images-hotfixes.yaml +++ /dev/null @@ -1,166 +0,0 @@ -name: Hot Fix Image Release Build - -on: - push: - branches: - - hf/main/** - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -jobs: - build-and-push: - timeout-minutes: 45 - name: Build and Push Images - environment: release-developer-images - runs-on: ubuntu-22.04 - strategy: - matrix: - include: - - name: cilium - dockerfile: ./images/cilium/Dockerfile - - - name: operator - dockerfile: ./images/operator/Dockerfile - - - name: operator-aws - dockerfile: ./images/operator/Dockerfile - - - name: operator-azure - dockerfile: ./images/operator/Dockerfile - - - name: operator-alibabacloud - dockerfile: ./images/operator/Dockerfile - - - name: operator-generic - dockerfile: ./images/operator/Dockerfile - - - name: hubble-relay - dockerfile: ./images/hubble-relay/Dockerfile - - - name: clustermesh-apiserver - dockerfile: ./images/clustermesh-apiserver/Dockerfile - - - name: docker-plugin - dockerfile: ./images/cilium-docker-plugin/Dockerfile - - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Cleanup Disk space in runner - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - - name: Login to quay.io - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_DEVELOPER_USERNAME }} - password: ${{ secrets.QUAY_DEVELOPER_PASSWORD }} - - - name: Getting image tag - id: tag - run: | - echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT - - - name: Checking if tag already exists - id: tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} &>/dev/null; then - echo "Tag already exists!" - exit 1 - fi - - - name: Checkout Source Code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 - id: docker_build_release - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Install Cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - - name: Sign Container Image - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }} - - - name: Generate SBOM - uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 - with: - artifact-name: sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - output-file: ./sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} - - - name: Attach SBOM attestation to container image - run: | - cosign attest -r -y --predicate sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }} - cosign attest -r -y --predicate sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }} - - - name: Image Release Digest - shell: bash - run: | - mkdir -p image-digest/ - echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: image-digest ${{ matrix.name }} - path: image-digest - retention-days: 1 - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: image-digest/ - pattern: "*image-digest *" - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-releases.yaml b/.github/workflows/build-images-releases.yaml deleted file mode 100644 index 936d92467e9c1..0000000000000 --- a/.github/workflows/build-images-releases.yaml +++ /dev/null @@ -1,213 +0,0 @@ -name: Image Release Build - -on: - push: - tags: - - v[0-9]+.[0-9]+.[0-9]+ - - v[0-9]+.[0-9]+.[0-9]+-* - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -jobs: - build-and-push: - timeout-minutes: 45 - name: Build and Push Images - environment: release - runs-on: ubuntu-22.04 - strategy: - matrix: - include: - - name: cilium - dockerfile: ./images/cilium/Dockerfile - - - name: operator - dockerfile: ./images/operator/Dockerfile - - - name: operator-aws - dockerfile: ./images/operator/Dockerfile - - - name: operator-azure - dockerfile: ./images/operator/Dockerfile - - - name: operator-alibabacloud - dockerfile: ./images/operator/Dockerfile - - - name: operator-generic - dockerfile: ./images/operator/Dockerfile - - - name: hubble-relay - dockerfile: ./images/hubble-relay/Dockerfile - - - name: clustermesh-apiserver - dockerfile: ./images/clustermesh-apiserver/Dockerfile - - - name: docker-plugin - dockerfile: ./images/cilium-docker-plugin/Dockerfile - - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Cleanup Disk space in runner - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - - name: Login to DockerHub - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - if: ${{ env.PUSH_TO_DOCKER_HUB == 'true' }} - with: - username: ${{ secrets.DOCKER_HUB_RELEASE_USERNAME }} - password: ${{ secrets.DOCKER_HUB_RELEASE_PASSWORD }} - - - name: Login to quay.io - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME_RELEASE_USERNAME }} - password: ${{ secrets.QUAY_PASSWORD_RELEASE_PASSWORD }} - - - name: Getting image tag - id: tag - run: | - tag=${GITHUB_REF##*/} - echo tag=$tag >> $GITHUB_OUTPUT - if [ "${{ env.PUSH_TO_DOCKER_HUB }}" == "true" ]; then - echo image_tags=${{ github.repository_owner }}/${{ matrix.name }}:$tag,quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}:$tag >> $GITHUB_OUTPUT - else - echo image_tags=quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}:$tag >> $GITHUB_OUTPUT - fi - - - name: Checkout Source Code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 - id: docker_build_release - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.tag.outputs.image_tags }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Install Cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - - name: Sign Container Image - run: | - if [ "${{ env.PUSH_TO_DOCKER_HUB }}" == "true" ]; then - cosign sign -y docker.io/${{ github.repository_owner }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }} - fi - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }} - - - name: Generate SBOM - uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 - with: - artifact-name: sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - output-file: ./sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }} - upload-release-assets: false - - - name: Attach SBOM attestation to container image - run: | - if [ "${{ env.PUSH_TO_DOCKER_HUB }}" == "true" ]; then - cosign attest -r -y --predicate sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson docker.io/${{ github.repository_owner }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }} - fi - cosign attest -r -y --predicate sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json --type spdxjson quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}@${{ steps.docker_build_release.outputs.digest }} - - - name: Image Release Digest - shell: bash - run: | - mkdir -p image-digest/ - job_name=${{ matrix.name }} - job_name_capital=${job_name^^} - job_name_underscored=${job_name_capital//-/_} - echo "${job_name_underscored}_DIGEST := \"${{ steps.docker_build_release.outputs.digest }}\"" > image-digest/makefile-digest.txt - - echo "### ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - if [ "${{ env.PUSH_TO_DOCKERHUB }}" == "true" ]; then - echo "\`docker.io/${{ github.repository_owner }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - fi - echo "\`quay.io/${{ env.QUAY_ORGANIZATION }}/${{ matrix.name }}:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: image-digest ${{ matrix.name }} - path: image-digest - retention-days: 10 - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Getting image tag - id: tag - run: | - echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: image-digest/ - pattern: "*image-digest *" - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - echo "## Docker Manifests" > ../image-digest-output.txt - echo "" >> ../image-digest-output.txt - find -type f -regex ".*image-digest .*" -not -name "makefile-digest.txt" | sort | xargs -d '\n' cat >> ../image-digest-output.txt - - - name: Image Makefile Digests - shell: bash - run: | - cd image-digest/ - echo "# File generated by .github/workflows/build-images-releases.yaml; DO NOT EDIT." > ../Makefile.digests - echo "# Copyright "$(date +'%Y')" Authors of Cilium" >> ../Makefile.digests - echo "# SPDX-License-Identifier: Apache-2.0" >> ../Makefile.digests - echo "" >> ../Makefile.digests - find -type f -name "makefile-digest.txt" | sort | xargs -d '\n' awk '{print "export " $0}' >> ../Makefile.digests - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: image-digest-output.txt-${{ steps.tag.outputs.tag }} - path: image-digest-output.txt - retention-days: 10 - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: Makefile.digests-${{ steps.tag.outputs.tag }} - path: Makefile.digests - retention-days: 10 diff --git a/.github/workflows/call-backport-label-updater.yaml b/.github/workflows/call-backport-label-updater.yaml deleted file mode 100644 index 0120498fc08cd..0000000000000 --- a/.github/workflows/call-backport-label-updater.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- - name: Call Backport Label Updater - on: - pull_request_target: - types: - - closed - branches: - - v[0-9]+.[0-9]+* - - jobs: - call-backport-label-updater: - name: Update backport labels for upstream PR - if: | - github.event.pull_request.merged == true && - contains(github.event.pull_request.body, 'upstream-prs') && - contains(join(github.event.pull_request.labels.*.name, ', '), 'backport/') - uses: cilium/cilium/.github/workflows/update-label-backport-pr.yaml@main - with: - pr-body: ${{ github.event.pull_request.body }} - branch: ${{ github.base_ref }} - secrets: inherit diff --git a/.github/workflows/ci-images-garbage-collect.yaml b/.github/workflows/ci-images-garbage-collect.yaml deleted file mode 100644 index a611703cfd37d..0000000000000 --- a/.github/workflows/ci-images-garbage-collect.yaml +++ /dev/null @@ -1,26 +0,0 @@ -name: Scruffy -on: - workflow_dispatch: - schedule: - # Run the GC every Monday at 9am - - cron: "0 9 * * 1" - -permissions: read-all - -jobs: - scruffy: - if: github.repository_owner == 'cilium' - name: scruffy - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Garbage Collect Images - uses: docker://quay.io/cilium/scruffy:v0.0.3@sha256:ca997451b739cbf03c204cb2523a671c31c61edc606aa5d20dc3560bc7f25bc7 - with: - entrypoint: scruffy - args: --git-repository=./ --stable-branches=origin/main,origin/v1.12,origin/v1.13,origin/v1.14,origin/v1.15,origin/v1.16 - env: - QUAY_TOKEN: ${{ secrets.SCRUFFY_QUAY_TOKEN }} diff --git a/.github/workflows/close-stale-issues.yaml b/.github/workflows/close-stale-issues.yaml deleted file mode 100644 index ff2d5b7f03a9a..0000000000000 --- a/.github/workflows/close-stale-issues.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: Close stale issues - -on: - schedule: - - cron: "30 1 * * *" - -permissions: - issues: write - pull-requests: write - -jobs: - stale: - name: Close Stale Issues - runs-on: ubuntu-latest - steps: - # https://github.com/marketplace/actions/close-stale-issues - - name: Close stale issues - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 - with: - operations-per-run: 1000 - stale-issue-label: stale - exempt-all-issue-assignees: true - exempt-issue-labels: pinned,security,good-first-issue - - days-before-issue-stale: 60 - stale-issue-message: | - This issue has been automatically marked as stale because it has not - had recent activity. It will be closed if no further activity occurs. - days-before-issue-close: 14 - close-issue-message: | - This issue has not seen any activity since it was marked stale. - Closing. - - stale-pr-label: stale - exempt-pr-labels: pinned,security,good-first-issue - - days-before-pr-stale: 30 - stale-pr-message: | - This pull request has been automatically marked as stale because it - has not had recent activity. It will be closed if no further activity - occurs. Thank you for your contributions. - days-before-pr-close: 14 - close-pr-message: | - This pull request has not seen any activity since it was marked stale. - Closing. diff --git a/.github/workflows/conformance-aks.yaml b/.github/workflows/conformance-aks.yaml deleted file mode 100644 index 69a26b3287383..0000000000000 --- a/.github/workflows/conformance-aks.yaml +++ /dev/null @@ -1,394 +0,0 @@ -name: Conformance AKS (ci-aks) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/main-**' - # Run every 8 hours - schedule: - - cron: '0 0/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - # Required to generate OIDC tokens for `az` authentication - id-token: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cost_reduction: --node-vm-size Standard_B2s --node-osdisk-size 30 - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - empty: ${{ steps.set-matrix.outputs.empty }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/azure" - destination_directory="/tmp/generated/azure" - mkdir -p "${destination_directory}" - - yq -o=json "${work_dir}/k8s-versions.yaml" | jq . > "${destination_directory}/azure.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/azure - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - jq '{ "include": [ .include[] | select(.disabled==null) ] }' azure.json > /tmp/matrix.json - else - jq '{ "include": [ .include[] | select(.default) ] }' azure.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - - name: Login to Azure - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - creds: ${{ secrets.AZURE_PR_SP_CREDS }} - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.include[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - LOCATION=$(echo $i | jq -r '.location') - # Don't use LTS versions for AKS, it requires premium tier - az aks get-versions --location $LOCATION --query "values[?contains(capabilities.supportPlan,'KubernetesOfficial')].version" > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is valid for location $LOCATION" - else - echo "::notice::Removing version $VERSION as it's not valid for location $LOCATION" - jq 'del(.include[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.include | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 90 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Override cluster name - run: | - # Extend default name with matrix index to avoid cluster name conflicts - NAME=${{ env.name }}-${{ matrix.index }} - echo "name=${NAME}" >> "$GITHUB_ENV" - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.name }} \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --helm-set=azure.resourceGroup=${{ env.name }} \ - --helm-set ipam.operator.clusterPoolIPv4PodCIDRList=192.168.0.0/16" # To avoid clashing with the default Service CIDR of AKS (10.0.0.0/16) - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled \ - --hubble=false --collect-sysdump-on-failure --external-target bing.com. --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Login to Azure - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - creds: ${{ secrets.AZURE_PR_SP_CREDS }} - - - name: Create AKS cluster - run: | - # Create group - az group create \ - --name ${{ env.name }} \ - --location ${{ matrix.location }} \ - --tags usage=${{ github.repository_owner }}-${{ github.event.repository.name }} owner=${{ steps.vars.outputs.owner }} - - # Create AKS cluster - az aks create \ - --resource-group ${{ env.name }} \ - --name ${{ env.name }} \ - --location ${{ matrix.location }} \ - --kubernetes-version ${{ matrix.version }} \ - --network-plugin none \ - --node-count 2 \ - ${{ env.cost_reduction }} \ - --generate-ssh-keys - - - name: Get cluster credentials - run: | - az aks get-credentials \ - --resource-group ${{ env.name }} \ - --name ${{ env.name }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-azure-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Enable Relay - run: | - cilium hubble enable - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait --wait-duration=10m - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}) - 1.xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Clean up Cilium - run: | - cilium uninstall --wait - - - name: Create custom IPsec secret - run: | - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="15 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - - name: Install Cilium with encryption - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set encryption.enabled=true \ - --helm-set encryption.type=ipsec - - - name: Enable Relay - run: | - cilium hubble enable - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait --wait-duration=10m - - - name: Run connectivity test with IPSec (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} --force-deploy \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}) - 2.xml" \ - --junit-property github_job_step="Run connectivity test with IPSec (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Clean up AKS - if: ${{ always() }} - run: | - az group delete --name ${{ env.name }} --yes --no-wait - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.index }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.index }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() && needs.installation-and-connectivity.result != 'skipped' }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result != 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result == 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ github.event_name != 'schedule' && 'success' || 'failure' }} - description: 'Skipped' diff --git a/.github/workflows/conformance-aws-cni.yaml b/.github/workflows/conformance-aws-cni.yaml deleted file mode 100644 index eabe7aa2367e3..0000000000000 --- a/.github/workflows/conformance-aws-cni.yaml +++ /dev/null @@ -1,419 +0,0 @@ -name: Conformance AWS-CNI (ci-awscni) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/main-**' - # Run every 8 hours - schedule: - - cron: '30 0/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - # renovate: datasource=github-releases depName=eksctl-io/eksctl - eksctl_version: v0.190.0 - # renovate: datasource=github-releases depName=kubernetes/kubernetes - kubectl_version: v1.31.1 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - empty: ${{ steps.set-matrix.outputs.empty }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/aws-cni" - destination_directory="/tmp/generated/aws-cni" - mkdir -p "${destination_directory}" - - yq -o=json "${work_dir}/k8s-versions.yaml" | jq . > "${destination_directory}/aws-cni.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/aws-cni - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - cp aws-cni.json /tmp/matrix.json - else - jq '{ "include": [ .include[] | select(.default) ] }' aws-cni.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - # We use latest eksctl just to fetch recent supported versions. - # We don't use that eksctl to create cluster. - # Eksctl has hardcoded list of supported versions in the binary. - # This is hack until https://github.com/aws/containers-roadmap/issues/982 is resolved. - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.include[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - eksctl version -o json | jq -r '.EKSServerSupportedVersions[]' > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is supported" - else - echo "::notice::Removing version $VERSION as it's not supported" - jq 'del(.include[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.include | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 45 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - # Set ipam.mode=cluster-pool to overwrite the ipam value set by the - # cilium-cli which is setting it to 'eni' because it auto-detects - # the cluster as being EKS. - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=cluster.name=${{ env.clusterName }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=enableIPv4Masquerade=false \ - --helm-set=cni.chainingMode=aws-cni \ - --helm-set=eni.enabled=false \ - --helm-set=ipam.mode=cluster-pool \ - --helm-set=routingMode=native \ - --helm-set=bandwidthManager.enabled=false \ - --wait=false" - - if [ "${{ matrix.wireguard }}" == "true" ]; then - CILIUM_INSTALL_DEFAULTS+=" --helm-set=encryption.enabled=true \ - --helm-set=encryption.type=wireguard \ - --helm-set=cni.enableRouteMTUForCNIChaining=true" - fi - - # L7 policies are not supported in chaining mode. - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --test-concurrency=3 \ - --hubble=false --collect-sysdump-on-failure --test '!fqdn,!l7' \ - --external-target amazon.com. --external-ip 1.0.0.1 --external-other-ip 1.1.1.1" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install kubectl - run: | - curl -sLO "https://dl.k8s.io/release/${{ env.kubectl_version }}/bin/linux/amd64/kubectl" - curl -sLO "https://dl.k8s.io/${{ env.kubectl_version }}/bin/linux/amd64/kubectl.sha256" - echo "$(cat kubectl.sha256) kubectl" | sha256sum --check - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - kubectl version --client - - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - role-to-assume: ${{ secrets.AWS_PR_ASSUME_ROLE }} - aws-region: ${{ matrix.region }} - - - name: Run aws configure - run: | - aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} - aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} - aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} - aws configure set default.region ${{ env.AWS_REGION }} - - - name: Create EKS cluster - uses: ./.github/actions/setup-eks-cluster - with: - cluster_name: ${{ env.clusterName }} - region: ${{ matrix.region }} - owner: "${{ steps.vars.outputs.owner }}" - version: ${{ matrix.version }} - spot: false - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait --wait-duration=10m - kubectl get pods -n kube-system - - - name: Check that AWS iptables chains have not been removed - run: | - for pod in $(kubectl get po -n kube-system -l app.kubernetes.io/name=cilium-agent -o name); do - echo "Checking ${pod}" - if ! kubectl exec -n kube-system ${pod} -c cilium-agent -- iptables-save | grep --silent ':AWS'; then - echo "Expected AWS iptables chains are not present" - exit 1 - fi - done - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.version }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.version }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() && needs.installation-and-connectivity.result != 'skipped' }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result != 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result == 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ github.event_name != 'schedule' && 'success' || 'failure' }} - description: 'Skipped' - - - cleanup: - name: Cleanup EKS Clusters - if: ${{ always() && needs.generate-matrix.outputs.empty == 'false' }} - continue-on-error: true - needs: [generate-matrix, installation-and-connectivity] - runs-on: ubuntu-latest - timeout-minutes: 45 - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - role-to-assume: ${{ secrets.AWS_PR_ASSUME_ROLE }} - aws-region: ${{ matrix.region }} - - - name: Clean up EKS - run: | - eksctl delete cluster --name ${{ env.clusterName }} --region ${{ matrix.region }} diff --git a/.github/workflows/conformance-clustermesh.yaml b/.github/workflows/conformance-clustermesh.yaml deleted file mode 100644 index 4508e0af9c48c..0000000000000 --- a/.github/workflows/conformance-clustermesh.yaml +++ /dev/null @@ -1,667 +0,0 @@ -name: Conformance Cluster Mesh (ci-clustermesh) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - clusterName1: cluster1-${{ github.run_id }} - clusterName2: cluster2-${{ github.run_id }} - ciliumClusterName1: c1 - ciliumClusterName2: cluster2-with-long-name-01234567 - contextName1: kind-cluster1-${{ github.run_id }} - contextName2: kind-cluster2-${{ github.run_id }} - - # renovate: datasource=github-releases depName=cert-manager/cert-manager - CERT_MANAGER_VERSION: v1.15.3 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - wait-for-images: - name: Wait for images - runs-on: ubuntu-latest - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - name: Wait for images - uses: ./.github/actions/wait-for-images - with: - SHA: ${{ inputs.SHA }} - images: cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci cilium-cli-ci - - installation-and-connectivity: - needs: [wait-for-images] - name: Installation and Connectivity Test - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - timeout-minutes: 60 - env: - job_name: "Installation and Connectivity Test" - - strategy: - fail-fast: false - matrix: - include: - - name: '1' - tunnel: 'disabled' - ipFamily: 'ipv4' - encryption: 'disabled' - kube-proxy: 'iptables' - mode: 'kvstoremesh' - tls-auto-method: helm - cm-auth-mode-1: 'legacy' - cm-auth-mode-2: 'legacy' - maxConnectedClusters: '255' - ciliumEndpointSlice: 'enabled' - - - name: '2' - tunnel: 'disabled' - ipFamily: 'dual' - encryption: 'wireguard' - kube-proxy: 'none' - mode: 'clustermesh' - tls-auto-method: cronJob - cm-auth-mode-1: 'migration' - cm-auth-mode-2: 'migration' - maxConnectedClusters: '511' - ciliumEndpointSlice: 'disabled' - - # IPsec encryption cannot be used with BPF NodePort. - - name: '3' - tunnel: 'disabled' - ipFamily: 'dual' - encryption: 'ipsec' - kube-proxy: 'iptables' - mode: 'kvstoremesh' - tls-auto-method: certmanager - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - ciliumEndpointSlice: 'disabled' - - # IPsec encryption is currently not supported in case of ipv6-only clusters (#23553) - # Wireguard encryption is currently affected by a bug in case of ipv6-only clusters (#23917) - - name: '4' - tunnel: 'disabled' - ipFamily: 'ipv6' - encryption: 'disabled' - kube-proxy: 'none' - mode: 'clustermesh' - tls-auto-method: certmanager - cm-auth-mode-1: 'legacy' - cm-auth-mode-2: 'migration' - maxConnectedClusters: '255' - ciliumEndpointSlice: 'disabled' - - # IPsec encryption cannot be used with BPF NodePort. - - name: '5' - tunnel: 'disabled' - ipFamily: 'dual' - encryption: 'ipsec' - kube-proxy: 'iptables' - mode: 'external' - tls-auto-method: helm - maxConnectedClusters: '255' - ciliumEndpointSlice: 'disabled' - - - name: '6' - tunnel: 'vxlan' - ipFamily: 'ipv4' - encryption: 'disabled' - kube-proxy: 'none' - mode: 'clustermesh' - tls-auto-method: helm - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - ciliumEndpointSlice: 'enabled' - - - name: '7' - tunnel: 'geneve' - ipFamily: 'dual' - encryption: 'wireguard' - kube-proxy: 'iptables' - mode: 'kvstoremesh' - tls-auto-method: cronJob - cm-auth-mode-1: 'migration' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '511' - ciliumEndpointSlice: 'disabled' - - # IPsec encryption cannot be used with BPF NodePort. - - name: '8' - tunnel: 'vxlan' - ipFamily: 'dual' - encryption: 'ipsec' - kube-proxy: 'iptables' - mode: 'clustermesh' - tls-auto-method: certmanager - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - ciliumEndpointSlice: 'disabled' - - # Tunneling is currently not supported in case of ipv6-only clusters (#17240) - # - name: '9' - # tunnel: 'vxlan' - # ipFamily: 'ipv6' - # encryption: 'disabled' - # kube-proxy: 'none' - # mode: 'kvstoremesh' - # tls-auto-method: certmanager - # cm-auth-mode-1: 'cluster' - # cm-auth-mode-2: 'cluster' - - - name: '10' - tunnel: 'vxlan' - ipFamily: 'dual' - encryption: 'wireguard' - kube-proxy: 'iptables' - mode: 'external' - tls-auto-method: helm - maxConnectedClusters: '511' - ciliumEndpointSlice: 'disabled' - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables for GHA environment - id: vars - run: | - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=kubeProxyReplacement=${{ matrix.kube-proxy == 'none' }} \ - --helm-set=bpf.masquerade=${{ matrix.kube-proxy == 'none' }} \ - --helm-set=hubble.enabled=true \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=hubble.tls.auto.method=${{ matrix.tls-auto-method }} \ - --helm-set=hubble.tls.auto.certManagerIssuerRef.group=cert-manager.io \ - --helm-set=hubble.tls.auto.certManagerIssuerRef.kind=Issuer \ - --helm-set=hubble.tls.auto.certManagerIssuerRef.name=cilium \ - --helm-set=clustermesh.useAPIServer=${{ matrix.mode != 'external' }} \ - --helm-set=clustermesh.apiserver.kvstoremesh.enabled=${{ matrix.mode == 'kvstoremesh' }} \ - --helm-set=clustermesh.maxConnectedClusters=${{ matrix.maxConnectedClusters }} \ - --helm-set=clustermesh.enableEndpointSliceSynchronization=true \ - --helm-set=clustermesh.apiserver.tls.auto.method=${{ matrix.tls-auto-method }} \ - --helm-set=clustermesh.apiserver.tls.auto.certManagerIssuerRef.group=cert-manager.io \ - --helm-set=clustermesh.apiserver.tls.auto.certManagerIssuerRef.kind=Issuer \ - --helm-set=clustermesh.apiserver.tls.auto.certManagerIssuerRef.name=cilium \ - --helm-set=ciliumEndpointSlice.enabled=${{ matrix.ciliumEndpointSlice == 'enabled'}} \ - " - - CILIUM_INSTALL_TUNNEL="--helm-set=tunnelProtocol=${{ matrix.tunnel }}" - if [ "${{ matrix.tunnel }}" == "disabled" ]; then - CILIUM_INSTALL_TUNNEL="--helm-set-string=routingMode=native \ - --helm-set=autoDirectNodeRoutes=true \ - --helm-set=ipv4NativeRoutingCIDR=10.240.0.0/12 \ - --helm-set=ipv6NativeRoutingCIDR=fd00:10:240::/44" - fi - - case "${{ matrix.ipFamily }}" in - ipv4) - CILIUM_INSTALL_IPFAMILY="--helm-set=ipv4.enabled=true --helm-set=ipv6.enabled=false" - KIND_POD_CIDR_1="10.242.0.0/16" - KIND_SVC_CIDR_1="10.243.0.0/16" - KIND_POD_CIDR_2="10.244.0.0/16" - KIND_SVC_CIDR_2="10.245.0.0/16" - ;; - ipv6) - CILIUM_INSTALL_IPFAMILY="--helm-set=ipv4.enabled=false --helm-set=ipv6.enabled=true" - KIND_POD_CIDR_1="fd00:10:242::/48" - KIND_SVC_CIDR_1="fd00:10:243::/112" - KIND_POD_CIDR_2="fd00:10:244::/48" - KIND_SVC_CIDR_2="fd00:10:245::/112" - ;; - dual) - CILIUM_INSTALL_IPFAMILY="--helm-set=ipv4.enabled=true --helm-set=ipv6.enabled=true" - KIND_POD_CIDR_1="10.242.0.0/16,fd00:10:242::/48" - KIND_SVC_CIDR_1="10.243.0.0/16,fd00:10:243::/112" - KIND_POD_CIDR_2="10.244.0.0/16,fd00:10:244::/48" - KIND_SVC_CIDR_2="10.245.0.0/16,fd00:10:245::/112" - ;; - *) - echo "Unknown IP family '${{ matrix.ipFamily }}'" && false - ;; - esac - - CILIUM_INSTALL_ENCRYPTION="" - if [ "${{ matrix.encryption }}" != "disabled" ]; then - CILIUM_INSTALL_ENCRYPTION="--helm-set=encryption.enabled=true \ - --helm-set=encryption.type=${{ matrix.encryption }}" - fi - - CILIUM_INSTALL_INGRESS="" - if [ "${{ matrix.kube-proxy }}" == "none" ]; then - CILIUM_INSTALL_INGRESS="--helm-set=ingressController.enabled=true" - # Once https://github.com/cilium/cilium/issues/31653 is fixed, we can remove tunnel check - # Use the legacy host routing in case of tunnel disabled - if [ "${{ matrix.tunnel }}" == "disabled" ]; then - CILIUM_INSTALL_INGRESS+=" --helm-set=bpf.hostLegacyRouting=true" - fi - fi - - CONNECTIVITY_TEST_DEFAULTS="--hubble=false \ - --flow-validation=disabled \ - --test-concurrency=5 \ - --multi-cluster=${{ env.contextName2 }} \ - --external-target=google.com. \ - --include-unsafe-tests \ - --collect-sysdump-on-failure" - - # Skip external traffic (e.g. 1.1.1.1 and www.google.com) tests as IPv6 is not supported - # in GitHub runners: https://github.com/actions/runner-images/issues/668 - if [[ "${{ matrix.ipFamily }}" == "ipv6" ]]; then - CONNECTIVITY_TEST_DEFAULTS="$CONNECTIVITY_TEST_DEFAULTS \ - --test='!/pod-to-world' \ - --test='!/pod-to-cidr'" - fi - - echo cilium_install_defaults="${CILIUM_INSTALL_DEFAULTS} ${CILIUM_INSTALL_TUNNEL} \ - ${CILIUM_INSTALL_IPFAMILY} ${CILIUM_INSTALL_ENCRYPTION} ${CILIUM_INSTALL_INGRESS}" >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - echo kind_pod_cidr_1=${KIND_POD_CIDR_1} >> $GITHUB_OUTPUT - echo kind_svc_cidr_1=${KIND_SVC_CIDR_1} >> $GITHUB_OUTPUT - echo kind_pod_cidr_2=${KIND_POD_CIDR_2} >> $GITHUB_OUTPUT - echo kind_svc_cidr_2=${KIND_SVC_CIDR_2} >> $GITHUB_OUTPUT - - - name: Generate Kind configuration files - run: | - PODCIDR=${{ steps.vars.outputs.kind_pod_cidr_1 }} \ - SVCCIDR=${{ steps.vars.outputs.kind_svc_cidr_1 }} \ - IPFAMILY=${{ matrix.ipFamily }} \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster1.yaml - - PODCIDR=${{ steps.vars.outputs.kind_pod_cidr_2 }} \ - SVCCIDR=${{ steps.vars.outputs.kind_svc_cidr_2 }} \ - IPFAMILY=${{ matrix.ipFamily }} \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster2.yaml - - - name: Create Kind cluster 1 - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - cluster_name: ${{ env.clusterName1 }} - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ./.github/kind-config-cluster1.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Create Kind cluster 2 - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - cluster_name: ${{ env.clusterName2 }} - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ./.github/kind-config-cluster2.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Label one of the nodes as external to the cluster - run: | - kubectl --context ${{ env.contextName1 }} label node \ - ${{ env.clusterName1 }}-worker2 cilium.io/no-schedule=true - - # Make sure that coredns uses IPv4-only upstream DNS servers also in case of clusters - # with IP family dual, since IPv6 ones are not reachable and cause spurious failures. - # Additionally, this is also required to workaround - # https://github.com/cilium/cilium/issues/23283#issuecomment-1597282247. - - name: Configure the coredns nameservers - run: | - COREDNS_PATCH=" - spec: - template: - spec: - dnsPolicy: None - dnsConfig: - nameservers: - - 8.8.4.4 - - 8.8.8.8 - " - - kubectl --context ${{ env.contextName1 }} -n kube-system get configmap coredns -o yaml | \ - sed '/loadbalance/a \ log' | kubectl --context ${{ env.contextName1 }} replace -f - - kubectl --context ${{ env.contextName2 }} -n kube-system get configmap coredns -o yaml | \ - sed '/loadbalance/a \ log' | kubectl --context ${{ env.contextName2 }} replace -f - - - kubectl --context ${{ env.contextName1 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - kubectl --context ${{ env.contextName2 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - - - name: Start kvstore clusters - id: kvstore - if: matrix.mode == 'external' - uses: ./.github/actions/kvstore - with: - clusters: 2 - - - name: Create the secret containing the kvstore credentials - if: matrix.mode == 'external' - run: | - kubectl --context ${{ env.contextName1 }} create -n kube-system -f ${{ steps.kvstore.outputs.cilium_etcd_secrets_path }} - kubectl --context ${{ env.contextName2 }} create -n kube-system -f ${{ steps.kvstore.outputs.cilium_etcd_secrets_path }} - - - name: Install cert-manager CRDs and create Cilium's issuer - if: matrix.tls-auto-method == 'certmanager' - run: | - # Generate the Cilium CA key and certificate - openssl genrsa 4096 > cilium-ca-key.pem - openssl req -new -x509 -nodes -days 1 -key cilium-ca-key.pem -out cilium-ca-crt.pem -subj "/CN=Cilium CA/" - - cat << EOF > issuer.yaml - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: cilium - namespace: kube-system - spec: - ca: - secretName: cilium-root-ca - EOF - - for ctx in ${{ env.contextName1 }} ${{ env.contextName2 }}; do - # Install the cert-manager CRDs - CRD_URL="https://github.com/cert-manager/cert-manager/releases/download/${{ env.CERT_MANAGER_VERSION }}/cert-manager.crds.yaml" - kubectl --context $ctx apply -f $CRD_URL - - # Create the Cilium CA secret - kubectl --context $ctx create -n kube-system secret tls cilium-root-ca \ - --key=cilium-ca-key.pem --cert=cilium-ca-crt.pem - - # Create the cert-manager issuer - kubectl --context $ctx apply -f issuer.yaml - done - - - name: Set clustermesh connection parameters - if: matrix.mode == 'external' - id: clustermesh-vars - run: | - echo "cilium_install_clustermesh= \ - --set=clustermesh.config.enabled=true \ - --set clustermesh.config.clusters[0].name=${{ env.ciliumClusterName1 }} \ - --set clustermesh.config.clusters[1].name=${{ env.ciliumClusterName2 }} \ - ${{ steps.kvstore.outputs.cilium_install_clustermesh }} \ - " >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Create the IPSec secret in both clusters - if: matrix.encryption == 'ipsec' - run: | - SECRET="3 rfc4106(gcm(aes)) $(openssl rand -hex 20) 128" - kubectl --context ${{ env.contextName1 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - kubectl --context ${{ env.contextName2 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - - - name: Install Cilium in cluster1 - id: install-cilium-cluster1 - env: - KVSTORE_ID: 1 - run: | - # Explicitly configure the NodePort to make sure that it is different in - # each cluster, to workaround #24692 - cilium --context ${{ env.contextName1 }} install \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.ciliumClusterName1 }} \ - --helm-set cluster.id=1 \ - --helm-set clustermesh.apiserver.service.nodePort=32379 \ - --helm-set clustermesh.apiserver.tls.authMode=${{ matrix.cm-auth-mode-1 }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_clustermesh }} \ - --nodes-without-cilium - - - name: Copy the Cilium CA secret to cluster2, as they must match - if: matrix.tls-auto-method != 'certmanager' - run: | - kubectl --context ${{ env.contextName1 }} get secret -n kube-system cilium-ca -o yaml | - kubectl --context ${{ env.contextName2 }} create -f - - - - name: Install Cilium in cluster2 - env: - KVSTORE_ID: 2 - run: | - # Explicitly configure the NodePort to make sure that it is different in - # each cluster, to workaround #24692 - cilium --context ${{ env.contextName2 }} install \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.ciliumClusterName2 }} \ - --helm-set cluster.id=${{ matrix.maxConnectedClusters }} \ - --helm-set clustermesh.apiserver.service.nodePort=32380 \ - --helm-set clustermesh.apiserver.tls.authMode=${{ matrix.cm-auth-mode-2 }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_clustermesh }} - - - name: Install cert-manager - if: matrix.tls-auto-method == 'certmanager' - run: | - helm repo add jetstack https://charts.jetstack.io - for ctx in ${{ env.contextName1 }} ${{ env.contextName2 }}; do - helm --kube-context $ctx install \ - cert-manager jetstack/cert-manager \ - --namespace cert-manager \ - --create-namespace \ - --version ${{ env.CERT_MANAGER_VERSION }} - done - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait - cilium --context ${{ env.contextName2 }} clustermesh status --wait - - - name: Connect clusters - if: matrix.mode != 'external' - run: | - cilium --context ${{ env.contextName1 }} clustermesh connect --destination-context ${{ env.contextName2 }} - - - name: Wait for cluster mesh status to be ready - if: matrix.mode != 'external' - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait - cilium --context ${{ env.contextName2 }} clustermesh status --wait - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium-cluster1.outcome != 'skipped' }} - run: | - cilium --context ${{ env.contextName1 }} status - cilium --context ${{ env.contextName1 }} clustermesh status - cilium --context ${{ env.contextName2 }} status - cilium --context ${{ env.contextName2 }} clustermesh status - - kubectl config use-context ${{ env.contextName1 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context1-final-${{ join(matrix.*, '-') }} - - kubectl config use-context ${{ env.contextName2 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context2-final-${{ join(matrix.*, '-') }} - - kubectl --context ${{ env.contextName1 }} logs -n kube-system -l k8s-app=kube-dns --prefix --timestamps --tail=-1 - kubectl --context ${{ env.contextName2 }} logs -n kube-system -l k8s-app=kube-dns --prefix --timestamps --tail=-1 - - if [ "${{ matrix.mode }}" == "external" ]; then - for i in {1..2}; do - echo - echo "# Retrieving logs from kvstore$i docker container" - docker logs kvstore$i - done - fi - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.name }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.name }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} diff --git a/.github/workflows/conformance-delegated-ipam.yaml b/.github/workflows/conformance-delegated-ipam.yaml deleted file mode 100644 index 63963a41c6fe2..0000000000000 --- a/.github/workflows/conformance-delegated-ipam.yaml +++ /dev/null @@ -1,342 +0,0 @@ -name: Conformance Delegated IPAM (ci-delegated-ipam) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - timeout: 5m - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - delegated-ipam-conformance-test: - name: Install and Connectivity Test - runs-on: ubuntu-latest - timeout-minutes: 120 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - CONTEXT_REF="${{ inputs.context-ref }}" - OWNER="${{ inputs.PR-number }}" - else - CONTEXT_REF="${{ github.sha }}" - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo context-ref=${CONTEXT_REF} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - # Cilium configured with delegated IPAM mode. - # * Set cni.customConf=true since conflist is configured using host mount into kind nodes. - # * Delegated IPAM requires direct routing mode. - # * Delegated IPAM is incompatible with all options that require cilium-agent to assign itself an IP address, - # so set local-router-ipv4 and endpointHealthChecking.enabled=false. - # * Use BPF masquerade with ipMasqAgent.enabled=true because iptables masquerade (enable-ipv4-masquerade=true) - # matches on source IP in the node pod CIDR, which isn't available to Cilium in delegated IPAM mode. - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=ipam.mode=delegated-plugin \ - --helm-set=cni.customConf=true \ - --helm-set=routingMode=native \ - --helm-set=ipv4NativeRoutingCIDR=10.244.0.0/16 \ - --helm-set=endpointRoutes.enabled=true \ - --helm-set=endpointHealthChecking.enabled=false \ - --helm-set=extraArgs[0]="--local-router-ipv4=169.254.23.0" \ - --helm-set=enableIPv4Masquerade=true \ - --helm-set=bpf.masquerade=true \ - --helm-set=ipMasqAgent.enabled=true \ - --helm-set=nodePort.enabled=true" - - CONNECTIVITY_TEST_DEFAULTS="--test-concurrency=5 \ - --flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target bing.com. --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - - - name: Generate conflist for each node - run: | - createConflist() { - file=$1 - subnet=$2 - - cat < $file - { - "cniVersion": "0.3.1", - "name": "cilium", - "plugins": [ - { - "type": "cilium-cni", - "enable-debug": true, - "log-file": "/var/log/cilium-cni.log", - "ipam": { - "type": "host-local", - "ranges": [ - [{"subnet": "$subnet"}] - ] - } - } - ] - } - EOF - } - - createConflist "kind-control-plane-delegated-ipam.conflist" 10.244.1.0/24 - createConflist "kind-worker-delegated-ipam.conflist" 10.244.2.0/24 - createConflist "kind-worker2-delegated-ipam.conflist" 10.244.3.0/24 - - - name: Generate kind config - run: | - cat < kind-config-delegated-ipam.yaml - kind: Cluster - apiVersion: kind.x-k8s.io/v1alpha4 - nodes: - - role: control-plane - # Disable kube-controller-manager allocate-node-cidrs to avoid mismatch between - # the node podCIDR assigned by KCM and the CIDR configured for the host-local IPAM plugin. - kubeadmConfigPatches: - - | - apiVersion: kubeadm.k8s.io/v1beta3 - kind: ClusterConfiguration - controllerManager: - extraArgs: - allocate-node-cidrs: "false" - extraMounts: - - hostPath: kind-control-plane-delegated-ipam.conflist - containerPath: /etc/cni/net.d/05-cilium.conflist - - - role: worker - extraMounts: - - hostPath: kind-worker-delegated-ipam.conflist - containerPath: /etc/cni/net.d/05-cilium.conflist - - - role: worker - extraMounts: - - hostPath: kind-worker2-delegated-ipam.conflist - containerPath: /etc/cni/net.d/05-cilium.conflist - - networking: - disableDefaultCNI: true - podSubnet: "10.244.0.0/16" - serviceSubnet: "10.245.0.0/16" - EOF - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - cluster_name: "kind" - config: kind-config-delegated-ipam.yaml # created by earlier step - wait: 0 - - - name: Install Cilium CLI - uses: cilium/cilium-cli@62bd4511031211b50a4623870955a5ad27b43e3b # v0.16.16 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Wait for nodes to become ready - run: | - kubectl wait --for=condition=Ready nodes --all --timeout=300s - kubectl get nodes -oyaml - - # Delegated IPAM requires direct routing, and we can't use autoDirectNodeRoutes or BGP because - # Cilium isn't aware of the pod CIDR for each node. - # So use `ip route add` to ensure pod traffic is routed to the correct node. - - name: Configure routes - run: | - addPodCIDRRouteToNode() { - cidr=$1 - node=$2 - nodeIP=$(kubectl get node $node -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}') - echo "adding route from $cidr via $nodeIP" - sudo ip route add $cidr via $nodeIP - } - - echo "Current routes:" - ip route - - echo "Configuring routes from podCIDR to node:" - addPodCIDRRouteToNode 10.244.1.0/24 kind-control-plane - addPodCIDRRouteToNode 10.244.2.0/24 kind-worker - addPodCIDRRouteToNode 10.244.3.0/24 kind-worker2 - - echo "Updated routes:" - ip route - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods -owide - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Cilium connectivity test - run: | - cilium connectivity test - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: delegated-ipam-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.delegated-ipam-conformance-test.result }} diff --git a/.github/workflows/conformance-eks.yaml b/.github/workflows/conformance-eks.yaml deleted file mode 100644 index 0f1513302db8a..0000000000000 --- a/.github/workflows/conformance-eks.yaml +++ /dev/null @@ -1,472 +0,0 @@ -name: Conformance EKS (ci-eks) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/main-**' - # Run every 8 hours - schedule: - - cron: '0 1/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - # renovate: datasource=github-releases depName=eksctl-io/eksctl - eksctl_version: v0.190.0 - # renovate: datasource=github-releases depName=kubernetes/kubernetes - kubectl_version: v1.31.1 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - empty: ${{ steps.set-matrix.outputs.empty }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/eks" - destination_directory="/tmp/generated/eks" - mkdir -p "${destination_directory}" - - yq -o=json "${work_dir}/k8s-versions.yaml" | jq . > "${destination_directory}/eks.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/eks - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - cp eks.json /tmp/matrix.json - else - jq '{ "include": [ .include[] | select(.default) ] }' eks.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - # We use latest eksctl just to fetch recent supported versions. - # We don't use that eksctl to create cluster. - # Eksctl has hardcoded list of supported versions in the binary. - # This is hack until https://github.com/aws/containers-roadmap/issues/982 is resolved. - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.include[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - eksctl version -o json | jq -r '.EKSServerSupportedVersions[]' > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is supported" - else - echo "::notice::Removing version $VERSION as it's not supported" - jq 'del(.include[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.include | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 90 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Cleanup Disk space in runner - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=cluster.name=${{ env.clusterName }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --helm-set=bpf.monitorAggregation=none \ - --wait=false" - if [[ "${{ matrix.ipsec }}" == "true" ]]; then - CILIUM_INSTALL_DEFAULTS+=" --helm-set encryption.enabled=true --helm-set encryption.type=ipsec" - fi - if [[ "${{ matrix.kpr }}" == "true" ]]; then - CILIUM_INSTALL_DEFAULTS+=" --helm-set kubeProxyReplacement=true" - fi - - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --test-concurrency=3 \ - --collect-sysdump-on-failure --external-target amazon.com." - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install kubectl - run: | - curl -sLO "https://dl.k8s.io/release/${{ env.kubectl_version }}/bin/linux/amd64/kubectl" - curl -sLO "https://dl.k8s.io/${{ env.kubectl_version }}/bin/linux/amd64/kubectl.sha256" - echo "$(cat kubectl.sha256) kubectl" | sha256sum --check - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - kubectl version --client - - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - role-to-assume: ${{ secrets.AWS_PR_ASSUME_ROLE }} - aws-region: ${{ matrix.region }} - - - name: Run aws configure - run: | - aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} - aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} - aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} - aws configure set default.region ${{ env.AWS_REGION }} - - - name: Create EKS cluster - uses: ./.github/actions/setup-eks-cluster - with: - cluster_name: ${{ env.clusterName }} - region: ${{ matrix.region }} - owner: "${{ steps.vars.outputs.owner }}" - version: ${{ matrix.version }} - spot: false - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Create IPsec key - if: ${{ matrix.ipsec == true }} - shell: bash - run: | - KEYID=15 - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${KEYID} rfc4106(gcm(aes)) $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64) 128" - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-aws-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Make sure images available from cluster - run: | - kubectl create -f - < "${destination_directory}/gke.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/gke - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - jq '{ "include": [ .k8s[] ] }' gke.json > /tmp/matrix.json - else - jq '{ "include": [ .k8s[] | select(.default) ] }' gke.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 - with: - workload_identity_provider: ${{ secrets.GCP_PR_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PR_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.include[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - ZONE=$(echo $i | jq -r '.zone') - gcloud --quiet container get-server-config \ - --flatten="channels" \ - --format="yaml(channels.validVersions)" --zone $ZONE > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is valid for zone $ZONE" - else - echo "::notice::Removing version $VERSION as it's not valid for zone $ZONE" - jq 'del(.include[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.include | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 45 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Cleanup Disk space in runner - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.clusterName }} \ - --helm-set cluster.id=1 \ - --datapath-mode=tunnel \ - --helm-set kubeProxyReplacement=true" - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target google.com. --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8" - # Explicitly specify LoadBalancer service type since the default type is NodePort in Helm mode. - # Ref: https://github.com/cilium/cilium-cli/pull/1527#discussion_r1177244379 - # - # In Helm mode, externalWorkloads.enabled is set to false by default. You need to pass - # --enable-external-workloads flag to enable it. - # Ref: https://github.com/cilium/cilium/pull/25259 - CLUSTERMESH_ENABLE_DEFAULTS="--service-type LoadBalancer --enable-external-workloads" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo clustermesh_enable_defaults=${CLUSTERMESH_ENABLE_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 - with: - workload_identity_provider: ${{ secrets.GCP_PR_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PR_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Install gke-gcloud-auth-plugin - run: | - gcloud components install gke-gcloud-auth-plugin - - - name: Display gcloud CLI info - run: | - gcloud info - - - name: Create GCP VM - uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 - with: - retry_on: error - timeout_minutes: 1 - max_attempts: 10 - command: | - gcloud compute instances create ${{ env.vmName }}-${{ matrix.vmIndex }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ matrix.zone }} \ - --machine-type e2-custom-2-4096 \ - --boot-disk-type pd-standard \ - --boot-disk-size 10GB \ - --image-project ubuntu-os-cloud \ - --image-family ubuntu-2004-lts \ - --metadata hostname=${{ env.vmName }}-${{ matrix.vmIndex }} \ - --metadata-from-file startup-script=${{ env.vmStartupScript}} - - - name: Create GKE cluster - run: | - gcloud container clusters create ${{ env.clusterName }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ matrix.zone }} \ - --cluster-version ${{ matrix.version }} \ - --enable-ip-alias \ - --node-taints node.cilium.io/agent-not-ready=true:NoExecute \ - --cluster-ipv4-cidr="/21" \ - --services-ipv4-cidr="/24" \ - --image-type COS_CONTAINERD \ - --num-nodes 2 \ - --machine-type e2-custom-2-4096 \ - --disk-type pd-standard \ - --disk-size 20GB - - - name: Get cluster credentials - run: | - gcloud container clusters get-credentials ${{ env.clusterName }} --zone ${{ matrix.zone }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium in cluster - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Enable cluster mesh - run: | - cilium clustermesh enable ${{ steps.vars.outputs.clustermesh_enable_defaults }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium clustermesh status --wait - - - name: Add VM to cluster mesh - run: | - cilium clustermesh vm create ${{ env.vmName }}-${{ matrix.vmIndex }} -n default --ipv4-alloc-cidr 10.192.1.0/30 - cilium clustermesh vm status - - - name: Install Cilium on VM - run: | - extra_args=${{ env.CILIUM_RUNTIME_EXTRA_ARGS }} - cilium clustermesh vm install install-external-workload.sh --config debug$([ ! -z $extra_args ] && echo ",${extra_args}") - gcloud compute scp install-external-workload.sh ${{ env.vmName }}-${{ matrix.vmIndex }}:~/ --zone ${{ matrix.zone }} - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "~/install-external-workload.sh" - sleep 5s - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "sudo cilium-dbg status" - - - name: Verify cluster DNS on VM - # Limit nslookup to the first (global) DNS server setting - run: | - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "nslookup -d2 -retry=10 -timeout=5 -norecurse clustermesh-apiserver.kube-system.svc.cluster.local \$(systemd-resolve --status | grep -m 1 \"Current DNS Server:\" | cut -d':' -f2)" - - - name: Ping clustermesh-apiserver from VM - run: | - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "ping -c 3 \$(sudo cilium-dbg service list get -o jsonpath='{[?(@.spec.flags.name==\"clustermesh-apiserver\")].spec.backend-addresses[0].ip}')" - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - kubectl get cew --all-namespaces -o wide - kubectl get cep --all-namespaces -o wide - cilium status - cilium clustermesh status - cilium clustermesh vm status - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} --command "sudo cilium status" - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} --command "sudo docker logs cilium --timestamps" - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Clean up GKE cluster and VM - if: ${{ always() }} - run: | - while [ "$(gcloud container operations list --zone ${{ matrix.zone }} --filter="status=RUNNING AND targetLink~${{ env.clusterName }}" --format="value(name)")" ];do - echo "cluster has an ongoing operation, waiting for all operations to finish"; sleep 15 - done - gcloud container clusters delete ${{ env.clusterName }} --zone ${{ matrix.zone }} --quiet --async - gcloud compute instances delete ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} --quiet - shell: bash {0} # Disable default fail-fast behavior so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.vmIndex }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.vmIndex }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() && needs.installation-and-connectivity.result != 'skipped' }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result != 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result == 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ github.event_name != 'schedule' && 'success' || 'failure' }} - description: 'Skipped' diff --git a/.github/workflows/conformance-gateway-api.yaml b/.github/workflows/conformance-gateway-api.yaml deleted file mode 100644 index d8fabec66649e..0000000000000 --- a/.github/workflows/conformance-gateway-api.yaml +++ /dev/null @@ -1,351 +0,0 @@ -name: Conformance Gateway API (ci-gateway-api) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - - 'test/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - kind_config: .github/kind-config.yaml - timeout: 5m - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - wait-for-images: - name: Wait for images - runs-on: ubuntu-latest - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Wait for images - uses: ./.github/actions/wait-for-images - with: - SHA: ${{ inputs.SHA }} - images: cilium-ci operator-generic-ci - - gateway-api-conformance-test: - name: Gateway API Conformance Test - needs: [wait-for-images] - runs-on: ubuntu-latest - timeout-minutes: 120 - strategy: - fail-fast: false - matrix: - include: - - crd-channel: experimental - conformance-profile: false - - crd-channel: standard - conformance-profile: false - - crd-channel: experimental - conformance-profile: true - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set image tag - id: vars - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - EXEMPT_FEATURES="HTTPRouteParentRefPort,MeshConsumerRoute" - if [ ${{ matrix.crd-channel }} == "standard" ]; then - EXEMPT_FEATURES+=",HTTPRouteDestinationPortMatching,HTTPRouteRequestTimeout,HTTPRouteBackendTimeout,GatewayInfrastructurePropagation" - fi - - if [ ${{ matrix.conformance-profile }} == "true" ]; then - SKIPPED_TESTS+="MeshConsumerRoute,HTTPRouteListenerPortMatching" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=kubeProxyReplacement=true \ - --helm-set=extraArgs={--envoy-config-retry-interval=5s} \ - --helm-set=gatewayAPI.enabled=true \ - --helm-set=l2announcements.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo skipped_tests=${SKIPPED_TESTS} >> $GITHUB_OUTPUT - echo exempt-features=${EXEMPT_FEATURES} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - examples - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.kind_config }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - - name: Install tparse - timeout-minutes: 15 - run: | - go install github.com/mfridman/tparse@28967170dce4f9f13de77ec857f7aed4c4294a5f # v0.12.3 (main) with -progress - - - name: Install Gateway API CRDs - run: | - gateway_api_version=$(grep "sigs.k8s.io/gateway-api" go.mod | awk -F'-' '{print (NF>1)?$NF:$0}') - # Install Gateway CRDs - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$gateway_api_version/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gatewayclasses.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$gateway_api_version/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gateways.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$gateway_api_version/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_httproutes.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$gateway_api_version/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_referencegrants.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$gateway_api_version/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_grpcroutes.yaml - ## TLSRoute is only available in experimental channel in v0.7.0 - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/$gateway_api_version/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml - - # To make sure that Gateway API CRs are available - kubectl wait --for condition=Established crd/gatewayclasses.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/gateways.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/httproutes.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/tlsroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/grpcroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/referencegrants.gateway.networking.k8s.io --timeout=${{ env.timeout }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Install Cilium LB IPPool and L2 Announcement Policy - timeout-minutes: 10 - run: | - KIND_NET_CIDR=$(docker network inspect kind -f '{{json .IPAM.Config}}' | jq -r '.[] | select(.Subnet | test("^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+")) | .Subnet') - echo "KIND_NET_CIDR: $KIND_NET_CIDR" - LB_CIDR=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200/28@") - echo "LB_CIDR: $LB_CIDR" - - echo "Deploying LB-IPAM Pool..." - cat << EOF > pool.yaml - apiVersion: "cilium.io/v2alpha1" - kind: CiliumLoadBalancerIPPool - metadata: - name: "pool" - spec: - blocks: - - cidr: "$LB_CIDR" - EOF - cat pool.yaml - kubectl apply -f pool.yaml - - echo "Deploying L2-Announcement Policy..." - cat << 'EOF' > l2policy.yaml - apiVersion: "cilium.io/v2alpha1" - kind: CiliumL2AnnouncementPolicy - metadata: - name: l2policy - spec: - loadBalancerIPs: true - interfaces: - - eth0 - nodeSelector: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: DoesNotExist - EOF - cat l2policy.yaml - kubectl apply -f l2policy.yaml - - - name: Run Gateway API conformance test - timeout-minutes: 30 - run: | - KIND_NET_CIDR=$(docker network inspect kind -f '{{json .IPAM.Config}}' | jq -r '.[] | select(.Subnet | test("^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+")) | .Subnet') - echo "KIND_NET_CIDR: $KIND_NET_CIDR" - GATEWAY_API_CONFORMANCE_USABLE_NETWORK_ADDRESSES=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.206@") - GATEWAY_API_CONFORMANCE_UNUSABLE_NETWORK_ADDRESSES=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.216@") - echo "GATEWAY_API_CONFORMANCE_USABLE_NETWORK_ADDRESSES: $GATEWAY_API_CONFORMANCE_USABLE_NETWORK_ADDRESSES" - echo "GATEWAY_API_CONFORMANCE_UNUSABLE_NETWORK_ADDRESSES: $GATEWAY_API_CONFORMANCE_UNUSABLE_NETWORK_ADDRESSES" - if [ ${{ matrix.conformance-profile }} == "true" ]; then - GATEWAY_API_CONFORMANCE_TESTS=1 \ - GATEWAY_API_CONFORMANCE_USABLE_NETWORK_ADDRESSES=$GATEWAY_API_CONFORMANCE_USABLE_NETWORK_ADDRESSES \ - GATEWAY_API_CONFORMANCE_UNUSABLE_NETWORK_ADDRESSES=$GATEWAY_API_CONFORMANCE_UNUSABLE_NETWORK_ADDRESSES \ - go test \ - -p 4 \ - -v ./operator/pkg/gateway-api \ - --gateway-class cilium \ - --all-features \ - --skip-tests "${{ steps.vars.outputs.skipped_tests }}" \ - --allow-crds-mismatch \ - --conformance-profiles GATEWAY-HTTP,GATEWAY-TLS,GATEWAY-GRPC,MESH-HTTP,MESH-GRPC \ - --organization cilium \ - --project cilium \ - --url github.com/cilium/cilium \ - --version main \ - --contact https://github.com/cilium/community/blob/main/roles/Maintainers.md \ - --report-output report.yaml \ - -test.run "TestConformance" \ - -json \ - | tparse -progress - else - GATEWAY_API_CONFORMANCE_TESTS=1 \ - GATEWAY_API_CONFORMANCE_USABLE_NETWORK_ADDRESSES=$GATEWAY_API_CONFORMANCE_USABLE_NETWORK_ADDRESSES \ - GATEWAY_API_CONFORMANCE_UNUSABLE_NETWORK_ADDRESSES=$GATEWAY_API_CONFORMANCE_UNUSABLE_NETWORK_ADDRESSES \ - go test \ - -p 4 \ - -v ./operator/pkg/gateway-api \ - --gateway-class cilium \ - --all-features \ - --exempt-features "${{ steps.vars.outputs.exempt-features }}" \ - --allow-crds-mismatch \ - -test.run "TestConformance" \ - -test.skip "${{ steps.vars.outputs.skipped_tests }}" \ - -json \ - | tparse -progress - fi - - - name: Upload report artifacts - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: report-${{ matrix.conformance-profile }}-${{ matrix.crd-channel }}.yaml - path: operator/pkg/gateway-api/report.yaml - retention-days: 5 - if-no-files-found: ignore - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdump-out-${{ matrix.conformance-profile }}-${{ matrix.crd-channel }} - path: cilium-sysdump-out-*.zip - retention-days: 5 - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: gateway-api-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.gateway-api-conformance-test.result }} diff --git a/.github/workflows/conformance-ginkgo.yaml b/.github/workflows/conformance-ginkgo.yaml deleted file mode 100644 index 71b0afad950a3..0000000000000 --- a/.github/workflows/conformance-ginkgo.yaml +++ /dev/null @@ -1,521 +0,0 @@ -name: Conformance Ginkgo (ci-ginkgo) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/main-**' - # Run every 8 hours - schedule: - - cron: '0 1/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - setup-vars: - name: Setup Vars - runs-on: ubuntu-latest - outputs: - SHA: ${{ steps.vars.outputs.SHA }} - context-ref: ${{ steps.vars.outputs.context-ref }} - owner: ${{ steps.vars.outputs.owner }} - steps: - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - CONTEXT_REF="${{ inputs.context-ref }}" - OWNER="${{ inputs.PR-number }}" - else - SHA="${{ github.sha }}" - CONTEXT_REF="${{ github.sha }}" - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - echo SHA=${SHA} >> $GITHUB_OUTPUT - echo context-ref=${CONTEXT_REF} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - # Pre-build the ginkgo binary so that we don't have to build it for all - # runners. - build-ginkgo-binary: - runs-on: ubuntu-latest - name: Build Ginkgo E2E - timeout-minutes: 30 - steps: - # If any of these steps are modified, please update the copy of these - # steps further down under the 'setup-and-test' jobs. - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.SHA || github.sha }} - persist-credentials: false - - # Load Ginkgo build from GitHub - - name: Load ginkgo E2E from GH cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-e2e-${{ hashFiles('**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - wait-for-images: - needs: setup-vars - runs-on: ubuntu-latest - name: Wait for images - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Wait for images - uses: ./.github/actions/wait-for-images - with: - SHA: ${{ inputs.SHA }} - - generate-matrix: - name: Generate Job Matrix from YAMLs - needs: setup-vars - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/ginkgo" - destination_directory="/tmp/generated/ginkgo" - mkdir -p "${destination_directory}" - for file in "${work_dir}"/main*.yaml; do - if [[ -f "$file" ]]; then - filename=$(basename "$file") - new_filename="${filename%.yaml}.json" - - yq -o=json "${file}" | jq . > "${destination_directory}/${new_filename}" - fi - done - - - name: Generate Matrix - id: set-matrix - run: | - if ${{ github.event_name == 'schedule' }}; then - k8s_versions_to_run='main-scheduled.json' - else - k8s_versions_to_run='main-prs.json' - fi - - # Generate a Matrix from all k8s versions defined in '${k8s_versions_to_run}' - # combined with 'main-focus.yaml'. - # Use 'main-k8s-versions.yaml' to - # retrieve which kernel versions should be used for which k8s version. - - dir="/tmp/generated/ginkgo" - cd ${dir} - jq --argjson prs "$(jq '.["k8s-version"]' ${k8s_versions_to_run})" \ - --argfile focus main-focus.json \ - '.include |= map(select(.["k8s-version"] as $k | $prs[] | select($k == .))) + $focus.include | - . + {"k8s-version": $prs} | - .focus = $focus.focus | .exclude = $focus.exclude' \ - main-k8s-versions.json> /tmp/merged.json - echo "Generated matrix:" - cat /tmp/merged.json - echo "matrix=$(jq -c . < /tmp/merged.json)" >> $GITHUB_OUTPUT - - setup-and-test: - needs: [setup-vars, build-ginkgo-binary, generate-matrix, wait-for-images] - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - timeout-minutes: 45 - name: "E2E Test (${{ matrix.k8s-version }}, ${{matrix.focus}})" - env: - job_name: "E2E Test (${{ matrix.k8s-version }}, ${{matrix.focus}})" - strategy: - fail-fast: false - max-parallel: 60 - matrix: ${{ fromJSON(needs.generate-matrix.outputs.matrix) }} - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Cleanup Disk space in runner - if: runner.name == 'ubuntu-latest' - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.SHA || github.sha }} - persist-credentials: false - - - name: Install cilium-cli - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - ci-version: ${{ env.CILIUM_CLI_VERSION }} - binary-dir: '.' - - - name: Install helm - shell: bash - run: | - # renovate: datasource=github-releases depName=helm/helm - HELM_VERSION=v3.13.1 - wget "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" - tar -xf "helm-${HELM_VERSION}-linux-amd64.tar.gz" - mv ./linux-amd64/helm ./helm - - - name: Provision LVH VMs - id: provision-vh-vms - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - test-name: datapath-conformance - install-dependencies: true - image-version: ${{ matrix.kernel }} - images-folder-parent: "/tmp" - host-mount: ./ - cpu: 4 - mem: 12G - # renovate: datasource=github-tags depName=cilium/little-vm-helper - lvh-version: "v0.0.19" - cmd: | - git config --global --add safe.directory /host - mv /host/helm /usr/bin - mv /host/cilium /usr/bin/cilium-cli - - - name: Provision kind - timeout-minutes: 5 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - if [[ "${{ matrix.kernel }}" == bpf-next-* ]]; then - ./contrib/scripts/kind.sh "" 2 "" "${{ matrix.kube-image }}" "none" "${{ matrix.ip-family }}" - kubectl label node kind-worker2 cilium.io/ci-node=kind-worker2 - # Avoid re-labeling this node by setting "node-role.kubernetes.io/controlplane" - kubectl label node kind-worker2 node-role.kubernetes.io/controlplane= - else - ./contrib/scripts/kind.sh "" 1 "" "${{ matrix.kube-image }}" "iptables" "${{ matrix.ip-family }}" - fi - git config --add safe.directory /cilium - - # Load Ginkgo build from GitHub - - name: Load ${{ matrix.name }} Ginkgo build from GitHub - uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-e2e-${{ hashFiles('**/*.go') }} - - # Re-build the tests if it was a cache miss. - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Copy Ginkgo binary - shell: bash - run: | - cd test/ - tar -xf /tmp/.ginkgo-build/test.tgz - - - name: Run tests - id: run-tests - timeout-minutes: 40 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/test/ - kubectl get ns -A -o wide - kubectl get pods -A -o wide - export K8S_NODES=2 - export NETNEXT=0 - if [[ "${{ matrix.kernel }}" == bpf-next-* ]]; then - export KERNEL=net-next - export NETNEXT=1 - export KUBEPROXY=0 - export K8S_NODES=3 - export NO_CILIUM_ON_NODES=kind-worker2 - elif [[ "${{ matrix.kernel }}" == 5.4-* ]]; then - export KERNEL=54 - fi - export K8S_VERSION=${{ matrix.k8s-version }} - export CNI_INTEGRATION=kind - export INTEGRATION_TESTS=true - # GitHub actions do not support IPv6 connectivity to outside - # world. - export CILIUM_NO_IPV6_OUTSIDE=true - echo "/root/go/bin/ginkgo \ - --focus=\"${{ matrix.cliFocus }}\" \ - --skip=\"${{ matrix.cliSkip }}\" \ - --seed=1679952881 \ - -v -- \ - -cilium.provision=false \ - -cilium.image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - -cilium.tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.operator-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - -cilium.operator-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.hubble-relay-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - -cilium.hubble-relay-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.kubeconfig=/root/.kube/config \ - -cilium.provision-k8s=false \ - -cilium.operator-suffix=-ci ${{ env.CILIUM_GINKGO_EXTRA_ARGS }}" - - ./test.test \ - --ginkgo.focus="${{ matrix.cliFocus }}" \ - --ginkgo.skip="${{ matrix.cliSkip }}" \ - --ginkgo.seed=1679952881 \ - --ginkgo.v -- \ - -cilium.provision=false \ - -cilium.image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - -cilium.tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.operator-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - -cilium.operator-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.hubble-relay-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - -cilium.hubble-relay-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.kubeconfig=/root/.kube/config \ - -cilium.provision-k8s=false \ - -cilium.operator-suffix=-ci ${{ env.CILIUM_GINKGO_EXTRA_ARGS }} - - - name: Fetch artifacts - if: ${{ !success() && steps.provision-vh-vms.outcome == 'success' }} - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host - kubectl get pods --all-namespaces -o wide - tar -zcf "test_results-${{ env.job_name }}.tar.gz" /host/test/test_results - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.k8s-version }}-${{matrix.focus}} - path: | - cilium-sysdump-*.zip - bugtool-*.tar.gz - test_results-*.tar.gz - - - name: Fetch JUnits - if: ${{ always() && steps.run-tests.outcome != 'skipped' }} - shell: bash - run: | - mkdir -p cilium-junits - cd test/ - junit_filename="${{ env.job_name }}.xml" - for filename in *.xml; do cp "${filename}" "../cilium-junits/${junit_filename}"; done; - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.k8s-version }}-${{matrix.focus}} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Determine final commit status - id: commit-status - shell: bash - run: | - # When one of the prerequisites of setup-and-test fails, then that - # job gets skipped. Let's convert the status so that we correctly - # report that as a proper failure. - if [ "${{ needs.setup-and-test.result }}" != "skipped" ]; then - echo "status=${{ needs.setup-and-test.result }}" >> $GITHUB_OUTPUT - else - echo "status=failure" >> $GITHUB_OUTPUT - fi - - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ steps.commit-status.outputs.status }} diff --git a/.github/workflows/conformance-gke.yaml b/.github/workflows/conformance-gke.yaml deleted file mode 100644 index e345dd82d6df2..0000000000000 --- a/.github/workflows/conformance-gke.yaml +++ /dev/null @@ -1,403 +0,0 @@ -name: Conformance GKE (ci-gke) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/main-**' - # Run every 8 hours - schedule: - - cron: '0 2/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - USE_GKE_GCLOUD_AUTH_PLUGIN: True - # renovate: datasource=docker depName=google/cloud-sdk - gcloud_version: 492.0.0 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - empty: ${{ steps.set-matrix.outputs.empty }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/gke" - destination_directory="/tmp/generated/gke" - mkdir -p "${destination_directory}" - - ls ${work_dir}/*.yaml | grep -v 'schema\|classic' | while read file;do - filename=$(basename "$file") - new_filename="${filename%.yaml}.json" - yq -o=json "${file}" | jq . > "${destination_directory}/${new_filename}" - done - - # Merge 2 files into one - jq -s "add" ${destination_directory}/*.json > "${destination_directory}/gke.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/gke - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - cp gke.json /tmp/matrix.json - else - jq '{ "k8s": [ .k8s[] | select(.default) ], "config": .config}' gke.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 - with: - workload_identity_provider: ${{ secrets.GCP_PR_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PR_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.k8s[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - ZONE=$(echo $i | jq -r '.zone') - gcloud --quiet container get-server-config \ - --flatten="channels" \ - --format="yaml(channels.validVersions)" --zone $ZONE > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is valid for zone $ZONE" - else - echo "::notice::Removing version $VERSION as it's not valid for zone $ZONE" - jq 'del(.k8s[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.k8s | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 75 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=cluster.name=${{ env.clusterName }}-${{ matrix.config.index }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=agentNotReadyTaintKey=ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --wait=false" - - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target google.com. --external-cidr 8.0.0.0/8 --external-ip 8.8.8.8 --external-other-ip 8.8.4.4" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo hubble_enable_defaults=${HUBBLE_ENABLE_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 - with: - workload_identity_provider: ${{ secrets.GCP_PR_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PR_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Install gke-gcloud-auth-plugin - run: | - gcloud components install gke-gcloud-auth-plugin - - - name: Display gcloud CLI info - run: | - gcloud info - - - name: Create GKE cluster - run: | - gcloud container clusters create ${{ env.clusterName }}-${{ matrix.config.index }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ matrix.k8s.zone }} \ - --cluster-version ${{ matrix.k8s.version }} \ - --enable-ip-alias \ - --create-subnetwork="range=/26" \ - --cluster-ipv4-cidr="/21" \ - --services-ipv4-cidr="/24" \ - --image-type COS_CONTAINERD \ - --num-nodes ${{ matrix.config.nodes || 2 }} \ - --machine-type e2-custom-2-4096 \ - --disk-type pd-standard \ - --disk-size 20GB \ - --node-taints ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready=true:NoExecute - - - name: Get cluster credentials - run: | - gcloud container clusters get-credentials ${{ env.clusterName }}-${{ matrix.config.index }} --zone ${{ matrix.k8s.zone }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Create custom IPsec secret - if: ${{ matrix.config.type == 'ipsec' || matrix.config.type == 'tunnel-ipsec' }} - run: | - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="15 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} ${{ matrix.config.cilium-install-opts }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait --wait-duration=10m - kubectl get pods -n kube-system - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ matrix.k8s.version }}, ${{ matrix.config.index }}, ${{ matrix.config.type }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.k8s.*, ', ') }}, ${{ join(matrix.config.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ matrix.k8s.version }}, ${{ matrix.config.index }}, ${{ matrix.config.type }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ matrix.k8s.version }}-${{ matrix.config.index }}-${{ matrix.config.type }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Clean up GKE - if: ${{ always() }} - run: | - while [ "$(gcloud container operations list --zone ${{ matrix.k8s.zone }} --filter="status=RUNNING AND targetLink~${{ env.clusterName }}-${{ matrix.config.index }}" --format="value(name)")" ];do - echo "cluster has an ongoing operation, waiting for all operations to finish"; sleep 15 - done - gcloud container clusters delete ${{ env.clusterName }}-${{ matrix.config.index }} --zone ${{ matrix.k8s.zone }} --quiet --async - shell: bash {0} # Disable default fail-fast behavior so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.config.index }}-${{ matrix.k8s.vmIndex }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.config.index }}-${{ matrix.k8s.vmIndex }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() && needs.installation-and-connectivity.result != 'skipped' }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result != 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result == 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ github.event_name != 'schedule' && 'success' || 'failure' }} - description: 'Skipped' diff --git a/.github/workflows/conformance-ingress.yaml b/.github/workflows/conformance-ingress.yaml deleted file mode 100644 index 3acbc0bd8d056..0000000000000 --- a/.github/workflows/conformance-ingress.yaml +++ /dev/null @@ -1,446 +0,0 @@ -name: Conformance Ingress (ci-ingress) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - - 'test/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - kind_config: .github/kind-config.yaml - timeout: 5m - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - wait-for-images: - name: Wait for images - runs-on: ubuntu-latest - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Wait for images - uses: ./.github/actions/wait-for-images - with: - SHA: ${{ inputs.SHA }} - images: cilium-ci operator-generic-ci - - ingress-conformance-test: - name: Ingress Conformance Test - needs: [wait-for-images] - runs-on: ubuntu-latest - timeout-minutes: 120 - strategy: - fail-fast: false - matrix: - include: - - name: Without_XDP - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: disabled - loadbalancer-mode: dedicated - default-ingress-controller: false - - name: With_XDP - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: native - loadbalancer-mode: dedicated - default-ingress-controller: false - - name: With_Shared_LB - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: disabled - loadbalancer-mode: shared - default-ingress-controller: false - - name: With_Default_Ingress_Controller - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: disabled - loadbalancer-mode: dedicated - default-ingress-controller: true - - name: Without_KPR - kube-proxy-replacement: false - enable-node-port: true - bpf-lb-acceleration: disabled - loadbalancer-mode: dedicated - default-ingress-controller: false - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set image tag - id: vars - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set kubeProxyReplacement=${{ matrix.kube-proxy-replacement }} \ - --helm-set nodePort.enabled=${{ matrix.enable-node-port }} \ - --helm-set=ingressController.enabled=true \ - --helm-set=ingressController.loadbalancerMode=${{ matrix.loadbalancer-mode }} \ - --helm-set=ingressController.default=${{ matrix.default-ingress-controller }} \ - --helm-set=extraConfig.bpf-lb-acceleration=${{ matrix.bpf-lb-acceleration }} \ - --helm-set=l2announcements.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - examples - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.kind_config }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Checkout ingress-controller-conformance - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # Use the forked repo with retry mechanism - # Please refer to https://github.com/kubernetes-sigs/ingress-controller-conformance/pull/101 for more details. - repository: cilium/ingress-controller-conformance - path: ingress-controller-conformance - ref: 6a193b3f73d8b1201a818bb7c8f204059b064857 - persist-credentials: false - - - name: Install Ingress conformance test tool - timeout-minutes: 10 - run: | - cd ingress-controller-conformance - make build - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait - kubectl get pods -n kube-system - - - name: Install Cilium LB IPPool and L2 Announcement Policy - timeout-minutes: 10 - run: | - KIND_NET_CIDR=$(docker network inspect kind -f '{{json .IPAM.Config}}' | jq -r '.[] | select(.Subnet | test("^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+")) | .Subnet') - echo "KIND_NET_CIDR: $KIND_NET_CIDR" - LB_CIDR=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200/28@") - echo "LB_CIDR: $LB_CIDR" - echo "Deploying LB-IPAM Pool..." - cat << EOF > pool.yaml - apiVersion: "cilium.io/v2alpha1" - kind: CiliumLoadBalancerIPPool - metadata: - name: "pool" - spec: - blocks: - - cidr: "$LB_CIDR" - EOF - cat pool.yaml - kubectl apply -f pool.yaml - - echo "Deploying L2-Announcement Policy..." - cat << 'EOF' > l2policy.yaml - apiVersion: "cilium.io/v2alpha1" - kind: CiliumL2AnnouncementPolicy - metadata: - name: l2policy - spec: - loadBalancerIPs: true - interfaces: - - eth0 - nodeSelector: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: DoesNotExist - EOF - cat l2policy.yaml - kubectl apply -f l2policy.yaml - - - name: Create sample workload - timeout-minutes: 5 - run: | - kubectl apply -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml - if [ ${{ matrix.default-ingress-controller }} = "true" ]; then - # remove ingressClassName line from basic-ingress.yaml - sed -i '/ingressClassName/d' untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl apply -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }} - fi - - kubectl apply -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }} - - - name: Run Sanity check (external) - timeout-minutes: 5 - run: | - lb=$(kubectl get ingress basic-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --retry-all-errors --retry-delay 5 --fail -- http://"$lb" - - # By now the service should be up, no need to do the manual retries for the second request - curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail -- http://"$lb"/details/1 - - - name: Run Sanity check (internal to NodePort) - if: ${{ matrix.kube-proxy-replacement == 'true' }} - timeout-minutes: 5 - run: | - if [ ${{ matrix.loadbalancer-mode }} = "dedicated" ]; then - node_port=$(kubectl get svc cilium-ingress-basic-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}') - else - node_port=$(kubectl get -n kube-system svc cilium-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}') - fi - docker exec -i chart-testing-control-plane curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail http://localhost:$node_port/details/1 - - - name: Run Sanity check (headless service) - timeout-minutes: 5 - run: | - BACKEND_IP=$(kubectl get pod -l app=details -o jsonpath="{.items[*].status.podIP}") - cat << EOF > ingress-with-headless-service.yaml - apiVersion: v1 - kind: Endpoints - metadata: - name: details-headless - subsets: - - addresses: - - ip: ${BACKEND_IP} - ports: - - name: http - port: 9080 - protocol: TCP - --- - apiVersion: v1 - kind: Service - metadata: - name: details-headless - spec: - ports: - - name: http - port: 9080 - protocol: TCP - targetPort: 9080 - clusterIP: None - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - --- - apiVersion: discovery.k8s.io/v1 - kind: EndpointSlice - metadata: - name: details-headless-endpoint-slice - labels: - kubernetes.io/service-name: details-headless-endpoint-slice - addressType: IPv4 - endpoints: - - addresses: - - ${BACKEND_IP} - ports: - - name: http - port: 9080 - protocol: TCP - --- - apiVersion: v1 - kind: Service - metadata: - name: details-headless-endpoint-slice - spec: - ports: - - name: http - port: 9082 - protocol: TCP - targetPort: 9080 - clusterIP: None - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - --- - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: basic-ingress-headless - spec: - ingressClassName: cilium - rules: - - http: - paths: - - backend: - service: - name: details-headless - port: - number: 9080 - path: /details/1 - pathType: Prefix - - backend: - service: - name: details-headless-endpoint-slice - port: - number: 9082 - path: /details/2 - pathType: Prefix - EOF - kubectl apply -n default -f ingress-with-headless-service.yaml - until [ -n "$(kubectl get ingress basic-ingress-headless -o jsonpath='{.status.loadBalancer.ingress[0].ip}')" ]; do - sleep 3 - done - lb=$(kubectl get ingress basic-ingress-headless -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - curl -s -v --connect-timeout 2 --max-time 20 --retry 3 --retry-all-errors --retry-delay 3 --fail -- http://"$lb"/details/1 - curl -s -v --connect-timeout 2 --max-time 20 --retry 3 --retry-all-errors --retry-delay 3 --fail -- http://"$lb"/details/2 - - - name: Cleanup Sanity check - timeout-minutes: 5 - run: | - # Clean up after sanity check to avoid any conflicts with the conformance test - kubectl delete -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl delete -n default -f ingress-with-headless-service.yaml - kubectl delete -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml - kubectl wait ingress basic-ingress --for=delete - kubectl wait ingress basic-ingress-headless --for=delete - - - name: Run Ingress conformance test - timeout-minutes: 30 - run: | - cd ingress-controller-conformance - ./ingress-controller-conformance \ - -ingress-class cilium \ - -wait-time-for-ingress-status 60s \ - -wait-time-for-ready 60s \ - -http-client-timeout 60s \ - -enable-http-debug \ - -stop-on-failure - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out-${{ matrix.name }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdump-out-${{ matrix.name }} - path: cilium-sysdump-out-*.zip - retention-days: 5 - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: ingress-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.ingress-conformance-test.result }} diff --git a/.github/workflows/conformance-ipsec-e2e.yaml b/.github/workflows/conformance-ipsec-e2e.yaml deleted file mode 100644 index a5cc3f3ae54cf..0000000000000 --- a/.github/workflows/conformance-ipsec-e2e.yaml +++ /dev/null @@ -1,472 +0,0 @@ -name: Conformance IPsec E2E (ci-ipsec-e2e) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/main-**' - # Run every 8 hours - schedule: - - cron: '0 5/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - wait-for-images: - name: Wait for images - runs-on: ubuntu-latest - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - name: Wait for images - uses: ./.github/actions/wait-for-images - with: - SHA: ${{ inputs.SHA }} - - setup-and-test: - needs: [wait-for-images] - name: 'Setup & Test' - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - include: - # See https://github.com/cilium/cilium/issues/20606 for configuration table - - - name: '1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'rhel8-20240404.144247' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - encryption: 'ipsec' - encryption-node: 'false' - key-one: 'gcm(aes)' - key-two: 'cbc(aes)' - key-type-one: '+' - key-type-two: '+' - - - name: '2' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - key-one: 'cbc(aes)' - key-two: 'cbc(aes)' - key-type-one: '+' - key-type-two: '' - - - name: '3' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - endpoint-routes: 'true' - key-one: 'gcm(aes)' - key-two: 'gcm(aes)' - key-type-one: '' - key-type-two: '+' - - - name: '4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20240711.013133' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'geneve' - encryption: 'ipsec' - encryption-node: 'false' - endpoint-routes: 'true' - key-one: 'cbc(aes)' - key-two: 'gcm(aes)' - key-type-one: '' - key-type-two: '' - - - name: '5' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - key-one: 'cbc(aes)' - key-two: 'cbc(aes)' - key-type-one: '+' - key-type-two: '+' - - - name: '6' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - endpoint-routes: 'true' - key-one: 'gcm(aes)' - key-two: 'gcm(aes)' - key-type-one: '+' - key-type-two: '+' - - - name: '7' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - encryption: 'ipsec' - encryption-node: 'false' - encryption-overlay: 'true' - key-one: 'gcm(aes)' - key-two: 'gcm(aes)' - key-type-one: '+' - key-type-two: '+' - - - name: '8' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20240711.013133' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'vxlan' - encryption: 'ipsec' - encryption-node: 'false' - key-one: 'gcm(aes)' - key-two: 'gcm(aes)' - key-type-one: '+' - key-type-two: '+' - - timeout-minutes: 75 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Cleanup Disk space in runner - if: runner.name == 'ubuntu-latest' - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - - - name: Derive Cilium installation config and junit type - id: cilium-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './untrusted/install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - encryption-overlay: ${{ matrix.encryption-overlay }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - ingress-controller: ${{ matrix.ingress-controller }} - misc: ${{ matrix.misc }} - - - name: Set Kind params - id: kind-params - shell: bash - run: | - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - echo params="--xdp --secondary-network \"\" 3 \"\" \"\" ${{ matrix.kube-proxy }} $IP_FAM" >> $GITHUB_OUTPUT - - - name: Provision K8s on LVH VM - uses: ./.github/actions/lvh-kind - with: - test-name: e2e-conformance - kernel: ${{ matrix.kernel }} - kind-params: "${{ steps.kind-params.outputs.params }}" - kind-image: ${{ env.KIND_K8S_IMAGE }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Install Cilium - shell: bash - run: | - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - - if [[ "${{ matrix.key-one }}" == "gcm(aes)" ]]; then - key="rfc4106(gcm(aes)) $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64) 128" - elif [[ "${{ matrix.key-one }}" == "cbc(aes)" ]]; then - key="hmac(sha256) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64) cbc(aes) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)" - else - echo "Invalid key type"; exit 1 - fi - kubectl create -n kube-system secret generic cilium-ipsec-keys \ - --from-literal=keys="3${{ matrix.key-type-one }} ${key}" - - cilium install ${{ steps.cilium-config.outputs.config }} - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-server --timeout=300s - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-agent --timeout=300s - - cilium status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status - - - name: Prepare the bpftrace parameters - id: bpftrace-params - run: | - CILIUM_INTERNAL_IPS=$(kubectl get ciliumnode -o jsonpath='{.items[*].spec.addresses[?(@.type=="CiliumInternalIP")].ip}') - if [[ "${{ matrix.ipv6 }}" == "false" ]]; then - CILIUM_INTERNAL_IPS="${CILIUM_INTERNAL_IPS// / ::1 } ::1" - fi - - echo "params=$CILIUM_INTERNAL_IPS" >> $GITHUB_OUTPUT - - - name: Start unencrypted packets check - uses: ./.github/actions/bpftrace/start - with: - script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt - args: ${{ steps.bpftrace-params.outputs.params }} "true" - - - name: Run tests (${{ join(matrix.*, ', ') }}) - shell: bash - run: | - mkdir -p cilium-junits - - cilium connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \ - --flush-ct - - - name: Assert that no unencrypted packets are leaked - uses: ./.github/actions/bpftrace/check - - - name: Start unencrypted packets check for key rotation - uses: ./.github/actions/bpftrace/start - with: - script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt - # As we are not testing with proxy connections during key rotation, - # disable the check for proxy traffic. - args: ${{ steps.bpftrace-params.outputs.params }} "false" - - - name: Setup conn-disrupt-test before rotating (${{ join(matrix.*, ', ') }}) - uses: ./.github/actions/conn-disrupt-test-setup - - - name: Rotate IPsec Key (${{ join(matrix.*, ', ') }}) - uses: ./.github/actions/ipsec-key-rotate - with: - key-algo: ${{ matrix.key-two }} - key-type-one: ${{ matrix.key-type-one }} - key-type-two: ${{ matrix.key-type-two }} - encryption-overlay: ${{ matrix.encryption-overlay }} - - - name: Assert that no unencrypted packets are leaked during key rotation - uses: ./.github/actions/bpftrace/check - - - name: Check conn-disrupt-test after rotating (${{ join(matrix.*, ', ') }}) - uses: ./.github/actions/conn-disrupt-test-check - - - name: Start unencrypted packets check for tests - uses: ./.github/actions/bpftrace/start - with: - script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt - args: ${{ steps.bpftrace-params.outputs.params }} "true" - - - name: Run tests (${{ join(matrix.*, ', ') }}) - shell: bash - run: | - mkdir -p cilium-junits - - TEST="" - if [ "${{ matrix.key-one }}" = "gcm(aes)" ] && [ "${{ matrix.key-two }}" = "cbc(aes)" ]; then - # Until https://github.com/cilium/cilium/issues/29480 is resolved - TEST='--test "!pod-to-pod-no-frag"' - fi - - cilium connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \ - --flush-ct $TEST - - - name: Assert that no unencrypted packets are leaked during tests - uses: ./.github/actions/bpftrace/check - - - name: Fetch artifacts - if: ${{ !success() }} - shell: bash - run: | - kubectl get pods --all-namespaces -o wide - cilium status - mkdir -p cilium-sysdumps - cilium sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.name }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.name }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/conformance-k8s-kind-network-policies.yaml b/.github/workflows/conformance-k8s-kind-network-policies.yaml deleted file mode 100644 index c86fb86050504..0000000000000 --- a/.github/workflows/conformance-k8s-kind-network-policies.yaml +++ /dev/null @@ -1,244 +0,0 @@ -name: Conformance K8s Upstream Network - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - paths-ignore: - - 'Documentation/**' - - 'test/**' - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - cluster_name: cilium-testing - -jobs: - kubernetes-e2e-net-conformance: - name: Installation and Conformance Test - runs-on: ubuntu-latest - timeout-minutes: 45 - strategy: - fail-fast: false - matrix: - # TODO add "dual" and "ipv6", "ipv6" fails to install cilium - ipFamily: ["ipv4"] - env: - IP_FAMILY: ${{ matrix.ipFamily }} - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Enable ipv4 and ipv6 forwarding - run: | - sudo sysctl -w net.ipv6.conf.all.forwarding=1 - sudo sysctl -w net.ipv4.ip_forward=1 - - - name: Set up environment (download Kubernetes dependencies) - run: | - TMP_DIR=$(mktemp -d) - # Test binaries - curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/kubernetes-test-linux-amd64.tar.gz -o ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz - tar xvzf ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz \ - --directory ${TMP_DIR} \ - --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test - # kubectl - curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/bin/linux/amd64/kubectl -o ${TMP_DIR}/kubectl - # kind - curl -Lo ${TMP_DIR}/kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 - # Install - sudo cp ${TMP_DIR}/ginkgo /usr/local/bin/ginkgo - sudo cp ${TMP_DIR}/e2e.test /usr/local/bin/e2e.test - sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl - sudo cp ${TMP_DIR}/kind /usr/local/bin/kind - sudo chmod +x /usr/local/bin/* - sudo rm -rf ${TMP_DIR} - - - name: Create multi node cluster - run: | - cat <> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install --wait ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Run Kubernetes sig-network conformance test - run: | - # output_dir - mkdir -p _artifacts - - # get kubeconfig to pass to the e2e binary - kind get kubeconfig --name ${{ env.cluster_name }} > _artifacts/kubeconfig.conf - - # Kubernetes e2e tests use ginkgo and tags to select the tests that should run based on two regex, focus and skip: - # Focus tests: - # \[Conformance\]|\[sig-network\]: Conformance tests are defined by the project to guarantee a consistent behaviour and some mandatory features on all clusters - # sig-network tests are defined by sig-networkto guarantee a consistent behaviour on all the the k8s network implementations - # Skipped tests: - # Disruptive|Serial : require to run in serial and perform disruptive operations on clusters (reboots, ...) - # Federation|PerformanceDNS : unrelated sig-network tests - # Feature : skip features that are not GA, however, some of them should be enabled, per example [Feature:ProxyTerminatingEndpoints] - # DualStack : only with dualstack clusters - # KubeProxy|kube-proxy : kube-proxy specifics - # LoadBalancer|GCE|ExternalIP : require a cloud provider, some of them are GCE specifics - # Aggregator : Flaky, https://github.com/cilium/cilium/issues/24622. - # same.port.number.but.different.protocols|HostPort|should.serve.endpoints.on.same.port.and.different.protocols : #9207 - # rejected : Kubernetes expect Services without endpoints associated to REJECT the connection to notify the client, Cilium silently drops the packet - # externalTrafficPolicy : needs investigation - - # Run tests - export KUBERNETES_CONFORMANCE_TEST='y' - export E2E_REPORT_DIR=${PWD}/_artifacts - /usr/local/bin/ginkgo --nodes=5 \ - --focus="(HostPort.*\[Conformance\].*|Services.*\[Conformance\].*|Net.*ol.*)" \ - --skip="(Legacy|HostPort.validates.that.there.is.no.conflict.between.pods.with.same.hostPort.but.different.hostIP.and.protocol|should.allow.egress.access.to.server.in.CIDR.block|should.enforce.except.clause.while.egress.access.to.server.in.CIDR.block|should.ensure.an.IP.overlapping.both.IPBlock.CIDR.and.IPBlock.Except.is.allowed|Feature:SCTPConnectivity|should.serve.endpoints.on.same.port.and.different.protocols)" \ - /usr/local/bin/e2e.test \ - -- \ - --kubeconfig=${PWD}/_artifacts/kubeconfig.conf \ - --provider=local \ - --dump-logs-on-failure=true \ - --report-dir=${E2E_REPORT_DIR} \ - --disable-log-dump=true - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final - /usr/local/bin/kind export logs --name ${{ env.cluster_name }} --loglevel=debug ./_artifacts/logs - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload cluster logs - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: kind-logs - path: ./_artifacts/logs - retention-days: 5 - - - name: Upload Kubernetes e2e Junit Reports - if: ${{ success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4 - with: - name: kubernetes-e2e-junit - path: './_artifacts/*.xml' - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "_artifacts" diff --git a/.github/workflows/conformance-k8s-kind.yaml b/.github/workflows/conformance-k8s-kind.yaml deleted file mode 100644 index 973758dc2b357..0000000000000 --- a/.github/workflows/conformance-k8s-kind.yaml +++ /dev/null @@ -1,244 +0,0 @@ -name: Conformance K8s Kind - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - paths-ignore: - - 'Documentation/**' - - 'test/**' - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - cluster_name: cilium-testing - cilium_cli_ci_version: - -jobs: - kubernetes-e2e: - name: Installation and Conformance Test - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER || 'ubuntu-latest' }} - timeout-minutes: 45 - strategy: - fail-fast: false - matrix: - # TODO add "dual" and "ipv6", "ipv6" fails to install cilium - ipFamily: ["ipv4"] - env: - IP_FAMILY: ${{ matrix.ipFamily }} - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Enable ipv4 and ipv6 forwarding - run: | - sudo sysctl -w net.ipv6.conf.all.forwarding=1 - sudo sysctl -w net.ipv4.ip_forward=1 - - - name: Set up environment (download Kubernetes dependencies) - run: | - TMP_DIR=$(mktemp -d) - # Test binaries - curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/kubernetes-test-linux-amd64.tar.gz -o ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz - tar xvzf ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz \ - --directory ${TMP_DIR} \ - --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test - # kubectl - curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/bin/linux/amd64/kubectl -o ${TMP_DIR}/kubectl - # kind - curl -Lo ${TMP_DIR}/kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 - # Install - sudo cp ${TMP_DIR}/ginkgo /usr/local/bin/ginkgo - sudo cp ${TMP_DIR}/e2e.test /usr/local/bin/e2e.test - sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl - sudo cp ${TMP_DIR}/kind /usr/local/bin/kind - sudo chmod +x /usr/local/bin/* - sudo rm -rf ${TMP_DIR} - - - name: Create multi node cluster - run: | - cat <> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install --wait ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Run Kubernetes sig-network conformance test - run: | - # output_dir - mkdir -p _artifacts - - # get kubeconfig to pass to the e2e binary - kind get kubeconfig --name ${{ env.cluster_name }} > _artifacts/kubeconfig.conf - - # Kubernetes e2e tests use ginkgo and tags to select the tests that should run based on two regex, focus and skip: - # Focus tests: - # \[Conformance\]|\[sig-network\]: Conformance tests are defined by the project to guarantee a consistent behaviour and some mandatory features on all clusters - # sig-network tests are defined by sig-networkto guarantee a consistent behaviour on all the the k8s network implementations - # Skipped tests: - # Disruptive|Serial : require to run in serial and perform disruptive operations on clusters (reboots, ...) - # Federation|PerformanceDNS : unrelated sig-network tests - # Feature : skip features that are not GA, however, some of them should be enabled, per example [Feature:ProxyTerminatingEndpoints] - # DualStack : only with dualstack clusters - # KubeProxy|kube-proxy : kube-proxy specifics - # LoadBalancer|GCE|ExternalIP : require a cloud provider, some of them are GCE specifics - # Netpol|NetworkPolicy : network policies, demand significant resources and use to be slow, better to run in a different job - # Aggregator : Flaky, https://github.com/cilium/cilium/issues/24622. - # rejected : Kubernetes expect Services without endpoints associated to REJECT the connection to notify the client, Cilium silently drops the packet - # externalTrafficPolicy : needs investigation - - # Run tests - export KUBERNETES_CONFORMANCE_TEST='y' - export E2E_REPORT_DIR=${PWD}/_artifacts - /usr/local/bin/ginkgo --nodes=25 \ - --focus="\[Conformance\]|\[sig-network\]" \ - --skip="Feature|Federation|PerformanceDNS|DualStack|Disruptive|Serial|KubeProxy|kube-proxy|ExternalIP|LoadBalancer|GCE|Netpol|NetworkPolicy|Aggregator|rejected|externalTrafficPolicy" \ - /usr/local/bin/e2e.test \ - -- \ - --kubeconfig=${PWD}/_artifacts/kubeconfig.conf \ - --provider=local \ - --dump-logs-on-failure=true \ - --report-dir=${E2E_REPORT_DIR} \ - --disable-log-dump=true - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final - /usr/local/bin/kind export logs --name ${{ env.cluster_name }} --loglevel=debug ./_artifacts/logs - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload cluster logs - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: kind-logs - path: ./_artifacts/logs - retention-days: 5 - - - name: Upload Kubernetes e2e Junit Reports [junit] - if: ${{ success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4 - with: - name: kubernetes-e2e-junit - path: './_artifacts/*.xml' - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "_artifacts" diff --git a/.github/workflows/conformance-k8s-network-policies.yaml b/.github/workflows/conformance-k8s-network-policies.yaml deleted file mode 100644 index 263c82f0ea263..0000000000000 --- a/.github/workflows/conformance-k8s-network-policies.yaml +++ /dev/null @@ -1,156 +0,0 @@ -name: Cyclonus Network Policy Test - -on: - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - -permissions: read-all - -env: - cilium_cli_ci_version: - KIND_CONFIG: .github/kind-config.yaml - CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check.yaml - TIMEOUT: 2m - LOG_TIME: 30m - -jobs: - preflight-clusterrole: - name: Preflight Clusterrole Check - runs-on: ubuntu-latest - steps: - - name: Checout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Check pre-flight clusterrole - run: | - cd install/kubernetes/cilium/templates - echo "Checking for differences between preflight and agent clusterrole" - diff \ - -I '^[ ]\{2\}name: cilium.*' \ - -I '^Keep file in sync with.*' \ - -I '^ {{- with .Values.annotations }}$' \ - -I '^ {{- with .Values.preflight.annotations }}$' \ - -I '{{- if.*' \ - cilium-agent/clusterrole.yaml \ - cilium-preflight/clusterrole.yaml - - cyclonus-test: - name: Cyclonus Test - runs-on: ubuntu-latest - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Precheck generated connectivity manifest files - run: | - make -C examples/kubernetes/connectivity-check fmt - make -C examples/kubernetes/connectivity-check all - test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) - - - name: Set image tag - id: vars - run: | - if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then - echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT - else - echo tag=${{ github.sha }} >> $GITHUB_OUTPUT - fi - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator-generic-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.KIND_CONFIG }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Install cilium chart - id: install-cilium - run: | - helm install cilium ./install/kubernetes/cilium \ - --wait \ - --namespace kube-system \ - --set nodeinit.enabled=true \ - --set kubeProxyReplacement=false \ - --set socketLB.enabled=false \ - --set externalIPs.enabled=true \ - --set nodePort.enabled=true \ - --set hostPort.enabled=true \ - --set bpf.masquerade=false \ - --set ipam.mode=kubernetes \ - --set image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - --set image.tag=${{ steps.vars.outputs.tag }} \ - --set image.pullPolicy=IfNotPresent \ - --set image.useDigest=false \ - --set operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - --set operator.image.suffix=-ci \ - --set operator.image.tag=${{ steps.vars.outputs.tag }} \ - --set operator.image.pullPolicy=IfNotPresent \ - --set operator.image.useDigest=false \ - --set prometheus.enabled=true \ - --set operator.prometheus.enabled=true \ - --set hubble.enabled=true \ - --set hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}" - - kubectl wait -n kube-system --for=condition=Ready -l app.kubernetes.io/part-of=cilium pod --timeout=5m - kubectl rollout -n kube-system status deploy/coredns --timeout=5m - - # To make sure that cilium CRD is available (default timeout is 5m) - # https://github.com/cilium/cilium/blob/main/operator/crd.go#L34 - kubectl wait --for condition=Established crd/ciliumnetworkpolicies.cilium.io --timeout=5m - - - name: Run cyclonus network policy test - working-directory: test/k8s/manifests/netpol-cyclonus - run: ./test-cyclonus.sh - - - name: Install Cilium CLI - if: ${{ failure() }} - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.tag }} - - - name: Report cluster failure status and capture cilium-sysdump - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - - - name: Upload cilium-sysdump - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - if: ${{ failure() }} - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip diff --git a/.github/workflows/conformance-kind-proxy-embedded.yaml b/.github/workflows/conformance-kind-proxy-embedded.yaml deleted file mode 100644 index 13d167d0135db..0000000000000 --- a/.github/workflows/conformance-kind-proxy-embedded.yaml +++ /dev/null @@ -1,150 +0,0 @@ -name: Conformance Kind Envoy Embedded - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - paths-ignore: - - 'Documentation/**' - - 'test/**' - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - kind_config: .github/kind-config.yaml - cilium_cli_ci_version: - -jobs: - installation-and-connectivity: - name: "Installation and Connectivity Test" - runs-on: ubuntu-latest - timeout-minutes: 45 - env: - job_name: "Installation and Connectivity Test" - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.event.pull_request.head.sha }} - - - name: Set up job variables - id: vars - run: | - # Note: On Kind, we install Cilium with HostPort (portmap CNI chaining) enabled, - # to ensure coverage of that feature in cilium connectivity test - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=hubble.relay.enabled=true - --helm-set=cni.chainingMode=portmap \ - --helm-set-string=kubeProxyReplacement=true \ - --helm-set=loadBalancer.l7.backend=envoy \ - --helm-set=tls.secretsBackend=k8s \ - --helm-set=envoy.enabled=false \ - --wait=false" - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --test-concurrency=5 --hubble=false --collect-sysdump-on-failure" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.kind_config }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }}.xml" --junit-property github_job_step="Run connectivity test" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" diff --git a/.github/workflows/conformance-multi-pool.yaml b/.github/workflows/conformance-multi-pool.yaml deleted file mode 100644 index 2167c2a862847..0000000000000 --- a/.github/workflows/conformance-multi-pool.yaml +++ /dev/null @@ -1,291 +0,0 @@ -name: Conformance Multi Pool IPAM (ci-multi-pool) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - kind_config: .github/kind-config.yaml - timeout: 5m - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - multi-pool-ipam-conformance-test: - name: Install and Connectivity Test - runs-on: ubuntu-latest - timeout-minutes: 120 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - CONTEXT_REF="${{ inputs.context-ref }}" - OWNER="${{ inputs.PR-number }}" - else - CONTEXT_REF="${{ github.sha }}" - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo context-ref=${CONTEXT_REF} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - # Notes: - # - Multi-pool IPAM only supports direct routing, thus we disable - # tunnel mode and enable auto-direct-routes. - # - Multi-pool IPAM only supports endpoint routes, thus we disable - # the local-node-route. - # - helm/kind-action does not support BPF host routing, so we fall - # back on legacy host routing - # (https://github.com/cilium/cilium/issues/23283#issuecomment-1597282247) - # - iptables-based masquerading does not support multiple non-masquerade - # CIDRs. Thus, we enable BPF masquerading where we can add multiple - # non-masquerade CIDRs. - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=autoDirectNodeRoutes=true \ - --helm-set=routingMode=native \ - --helm-set=endpointRoutes.enabled=true \ - --helm-set=kubeProxyReplacement=true \ - --helm-set=bpf.masquerade=true \ - --helm-set=bpf.hostLegacyRouting=true\ - --helm-set=ipMasqAgent.enabled=true \ - --helm-set=ipMasqAgent.config.nonMasqueradeCIDRs='{10.0.0.0/8,192.168.0.0/16}' \ - --helm-set=ipam.mode=multi-pool \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.cidrs='{10.10.0.0/16}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.maskSize=24 \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.cidrs='{10.20.0.0/16}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.maskSize=24 \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.cidrs='{192.168.0.0/20}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.maskSize=27 \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.cidrs='{192.168.16.0/20}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.maskSize=27" - - CONNECTIVITY_TEST_DEFAULTS="--test-concurrency=5 \ - --flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target bing.com. --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8 \ - --namespace-annotations='{\"ipam.cilium.io/ip-pool\":\"cilium-test-pool\"}' \ - --deployment-pod-annotations='{ \ - \"client\":{\"ipam.cilium.io/ip-pool\":\"client-pool\"}, \ - \"echo-other-node\":{\"ipam.cilium.io/ip-pool\":\"echo-other-node-pool\"} \ - }'" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.kind_config }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} - 1.xml" --junit-property github_job_step="Run connectivity test" - - - name: Collect Pod and Pool IPs - id: ips - run: | - for pod in client client2 echo-same-node echo-other-node; do - kubectl get pod -A -l "name=${pod}" -o jsonpath="${pod}={.items[*].status.podIP}{'\n'}" >> "$GITHUB_OUTPUT" - done - - for pool in cilium-test-pool client-pool echo-other-node-pool; do - kubectl get ciliumpodippool "${pool}" -o "jsonpath=${pool}={.spec.ipv4.cidrs[0]}{'\n'}" >> "$GITHUB_OUTPUT" - done - - - name: Validate Pod IPs - shell: python - run: | - from ipaddress import ip_address, ip_network - - for ip in "${{ steps.ips.outputs.client }}".split(): - assert ip_address(ip) in ip_network("${{ steps.ips.outputs.client-pool }}"), "client pool mismatch" - - for ip in "${{ steps.ips.outputs.client2 }}".split(): - assert ip_address(ip) in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "client2 pool mismatch" - - for ip in "${{ steps.ips.outputs.echo-same-node }}".split(): - assert ip_address(ip) in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "echo-same-node pool mismatch" - - for ip in "${{ steps.ips.outputs.echo-other-node }}".split(): - assert ip_address(ip) in ip_network("${{ steps.ips.outputs.echo-other-node-pool }}"), "echo-other-node pool mismatch" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: multi-pool-ipam-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.multi-pool-ipam-conformance-test.result }} diff --git a/.github/workflows/conformance-runtime.yaml b/.github/workflows/conformance-runtime.yaml deleted file mode 100644 index 14e56ab623bf8..0000000000000 --- a/.github/workflows/conformance-runtime.yaml +++ /dev/null @@ -1,486 +0,0 @@ -name: Conformance Runtime (ci-runtime) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - # Pre-build the ginkgo binary so that we don't have to build it for all - # runners. - build-ginkgo-binary: - runs-on: ubuntu-latest - name: Build Ginkgo Runtime - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - echo "sha=${SHA}" >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - # If any of these steps are modified, please update the copy of these - # steps further down under the 'setup-and-test' jobs. - - # Load Ginkgo build from GitHub - - name: Load ginkgo runtime from GH cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-runtime-${{ hashFiles('**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Waiting for images - timeout-minutes: 20 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - setup-and-test: - needs: build-ginkgo-binary - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - name: "Runtime Test (${{matrix.focus}})" - env: - # GitHub doesn't provide a way to retrieve the name of a job, so we have - # to repeated it here. - job_name: "Runtime Test (${{matrix.focus}})" - strategy: - fail-fast: false - max-parallel: 3 - matrix: - focus: - - "agent" - - "datapath" - - "privileged" - - include: - ### - # RuntimeAgentChaos Cilium agent Checking for file-descriptor leak - # RuntimeAgentChaos Cilium agent removing leftover Cilium interfaces - # RuntimeAgentFQDNPolicies Can update L7 DNS policy rules - # RuntimeAgentFQDNPolicies CNAME follow - # RuntimeAgentFQDNPolicies DNS proxy policy works if Cilium stops - # RuntimeAgentFQDNPolicies Enforces L3 policy even when no IPs are inserted - # RuntimeAgentFQDNPolicies Enforces ToFQDNs policy - # RuntimeAgentFQDNPolicies Implements matchPattern: * - # RuntimeAgentFQDNPolicies Interaction with other ToCIDR rules - # RuntimeAgentFQDNPolicies Roundrobin DNS - # RuntimeAgentFQDNPolicies toFQDNs populates toCIDRSet (data from proxy) L3-dependent L7/HTTP with toFQDN updates proxy policy - # RuntimeAgentFQDNPolicies toFQDNs populates toCIDRSet (data from proxy) Policy addition after DNS lookup - # RuntimeAgentFQDNPolicies Validate dns-proxy monitor information - # RuntimeAgentFQDNPolicies With verbose policy logs Validates DNSSEC responses - # RuntimeAgentKVStoreTest KVStore tests Etcd KVStore - # RuntimeAgentPolicies Init Policy Default Drop Test tests egress - # RuntimeAgentPolicies Init Policy Default Drop Test tests ingress - # RuntimeAgentPolicies Init Policy Default Drop Test With PolicyAuditMode tests egress - # RuntimeAgentPolicies Init Policy Default Drop Test With PolicyAuditMode tests ingress - # RuntimeAgentPolicies Init Policy Test Init Egress Policy Test - # RuntimeAgentPolicies Init Policy Test Init Ingress Policy Test - # RuntimeAgentPolicies TestsEgressToHost Tests Egress To Host - # RuntimeAgentPolicies TestsEgressToHost Tests egress with CIDR+L4 policy - # RuntimeAgentPolicies TestsEgressToHost Tests egress with CIDR+L4 policy to external https service - # RuntimeAgentPolicies TestsEgressToHost Tests egress with CIDR+L7 policy - # RuntimeAgentPolicies Tests Endpoint Connectivity Functions After Daemon Configuration Is Updated - # RuntimeAgentPolicies Tests EntityNone as a deny-all - # RuntimeSSHTests Should fail when context times out - - focus: "agent" - cliFocus: "RuntimeAgent|RuntimeSSHTests" - - ### - # RuntimeDatapathConntrackInVethModeTest Conntrack-related configuration options for endpoints - # RuntimeDatapathMonitorTest With Sample Containers checks container ids match monitor output - # RuntimeDatapathMonitorTest With Sample Containers cilium-dbg monitor check --from - # RuntimeDatapathMonitorTest With Sample Containers cilium-dbg monitor check --related-to - # RuntimeDatapathMonitorTest With Sample Containers cilium-dbg monitor check --to - # RuntimeDatapathMonitorTest With Sample Containers Cilium monitor event types - # RuntimeDatapathMonitorTest With Sample Containers delivers the same information to multiple monitors - - focus: "datapath" - cliFocus: "RuntimeDatapathConntrackInVethModeTest|RuntimeDatapathMonitorTest" - - timeout-minutes: 50 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - echo "sha=${SHA}" >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Provision LVH VMs - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - test-name: runtime-tests - install-dependencies: true - # renovate: datasource=docker depName=quay.io/lvh-images/kind - image-version: "bpf-next-20240711.013133@sha256:5a2e78c14809c33d6fbae7762ec73b293aaa5e9b485226292348782bae1a3ed1" - host-mount: ./ - images-folder-parent: "/tmp" - cpu: 4 - # renovate: datasource=github-tags depName=cilium/little-vm-helper - lvh-version: "v0.0.19" - mem: 12G - - # Load Ginkgo build from GitHub - - name: Load ${{ matrix.name }} Ginkgo build from GitHub - uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-runtime-${{ hashFiles('**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Copy Ginkgo binary - shell: bash - run: | - cd test/ - tar -xf /tmp/.ginkgo-build/test.tgz - - - name: Setup runtime - timeout-minutes: 10 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - mkdir -p /root/go/src/github.com/cilium/ - ln -s /host /root/go/src/github.com/cilium/cilium - mkdir -p /home/root/go/src/github.com/cilium/ - ln -s /host /home/root/go/src/github.com/cilium/cilium - cp -r /host/test/provision /tmp - git config --global --add safe.directory /host - export CILIUM_IMAGE=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.sha }} - export CILIUM_DOCKER_PLUGIN_IMAGE=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docker-plugin-ci:${{ steps.vars.outputs.sha }} - export PROVISION_EXTERNAL_WORKLOAD=false - export VMUSER=root - echo '127.0.0.1 localhost' >> /etc/hosts - echo '::1 localhost' >> /etc/hosts - /tmp/provision/runtime_install.sh ${{ env.CILIUM_RUNTIME_EXTRA_ARGS }} - service docker restart - - - name: Runtime tests - if: ${{ matrix.focus == 'agent' || matrix.focus == 'datapath' }} - timeout-minutes: 20 - shell: bash - run: | - cat > test/cilium-ssh-config.txt << EOF - Host runtime - HostName 127.0.0.1 - User root - Port 2222 - UserKnownHostsFile /dev/null - StrictHostKeyChecking no - PasswordAuthentication no - LogLevel FATAL - EOF - cd test - export INTEGRATION_TESTS=true - ./test.test \ - --ginkgo.focus="${{ matrix.cliFocus }}" \ - --ginkgo.skip="${{ matrix.cliSkip }}" \ - --ginkgo.seed=1679952881 \ - --ginkgo.v -- \ - -cilium.provision=false \ - -cilium.image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - -cilium.tag=${{ steps.vars.outputs.sha }} \ - -cilium.operator-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - -cilium.operator-tag=${{ steps.vars.outputs.sha }} \ - -cilium.hubble-relay-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - -cilium.hubble-relay-tag=${{ steps.vars.outputs.sha }} \ - -cilium.operator-suffix=-ci \ - -cilium.SSHConfig="cat ./cilium-ssh-config.txt" \ - -cilium.extra-opts="${{ env.CILIUM_RUNTIME_EXTRA_ARGS }}" - - - name: Runtime privileged tests - if: ${{ matrix.focus == 'privileged' }} - timeout-minutes: 40 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host - # The LVH image might ship with an arbitrary Go toolchain version, - # install the same Go toolchain version as current HEAD. - go install golang.org/dl/go${{ env.go-version }}@latest - go${{ env.go-version }} download - # Install go-junit-report to generate junit files for the - # privileged tests. - go${{ env.go-version}} install github.com/jstemmer/go-junit-report/v2@7fde4641acef5b92f397a8baf8309d1a45d608cc - export GOTEST_FORMATTER="/root/go/bin/go-junit-report -set-exit-code -iocopy -out test/runtime.xml" - make tests-privileged NO_COLOR=1 GO=go${{ env.go-version }} - - - name: Debug failure on VM - # Only debug the failure on the LVH that have Cilium running as a service, - # which is 'agent' and 'datapath' focus. - if: ${{ !success() && (matrix.focus == 'agent' || matrix.focus == 'datapath') }} - timeout-minutes: 10 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - journalctl --no-pager -xeu cilium.service - systemctl status cilium.service - - - name: Fetch artifacts - if: ${{ !success() && (matrix.focus == 'agent' || matrix.focus == 'datapath') }} - shell: bash - run: | - if [ -e ./test/test_results ];then - tar -zcf 'test_results-${{ matrix.focus }}.tar.gz' ./test/test_results - else - echo "::warning::test results directory is not exist!" - fi - - - name: Upload artifacts - if: ${{ !success() && (matrix.focus == 'agent' || matrix.focus == 'datapath') }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.focus }} - path: | - test_results-*.tar.gz - - - name: Fetch JUnits - if: ${{ always() }} - shell: bash - run: | - mkdir -p cilium-junits - cd test/ - # junit_filename needs to be the same as the Job Name presented on the - # GH web UI - In the Summary page of a workflow run, left column - # "Jobs" - so that we can map the junit file to the right job - step - # pair on datastudio. - junit_filename="${{ env.job_name }}.xml" - for filename in *.xml; do cp "${filename}" "../cilium-junits/${junit_filename}"; done; - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.focus }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml deleted file mode 100644 index 2644663bccb3b..0000000000000 --- a/.github/workflows/documentation.yaml +++ /dev/null @@ -1,96 +0,0 @@ -name: Documentation Updates - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - merge_group: - types: [checks_requested] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-22.04 - outputs: - docs-tree: ${{ steps.docs-tree.outputs.src }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Check code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: docs-tree - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - src: - - .github/workflows/documentation.yaml - - 'Documentation/**' - - 'bugtool/cmd/**' - - 'cilium/cmd/**' - - 'cilium-health/cmd/**' - - 'daemon/cmd/**' - - 'hubble-relay/cmd/**' - - 'install/kubernetes/**' - - 'operator/cmd/**' - - README.rst - - # Runs only if code under Documentation or */cmd/ is changed as the docs - # should be unaffected otherwise. - build-html: - needs: check_changes - if: ${{ needs.check_changes.outputs.docs-tree == 'true' }} - name: Validate & Build HTML - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # Needed to detect missing redirects - fetch-depth: 0 - - name: Build HTML - uses: docker://quay.io/cilium/docs-builder:505a028fdf7bb55d366ba658308f46af3dff6279@sha256:8ee5253e15a9708c5b6f8207753cd31052e6218517dd0a8ca80f09a77af1a1ec - with: - entrypoint: ./Documentation/check-build.sh - args: html - - check-generated-documentation: - name: Check generated documentation - if: ${{ github.event_name != 'merge_group' }} - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # Needed to detect missing redirects - fetch-depth: 0 - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - # Building Cilium as precondition to generate documentation artifacts. - - name: Build Cilium - run: | - make -C Documentation cilium-build - - - name: Check generated documentation - run: | - SKIP_BUILD=true make -C Documentation check diff --git a/.github/workflows/fqdn-perf.yaml b/.github/workflows/fqdn-perf.yaml deleted file mode 100644 index af9a670323c26..0000000000000 --- a/.github/workflows/fqdn-perf.yaml +++ /dev/null @@ -1,294 +0,0 @@ -name: FQDN perf test (fqdn-perf) - -on: - schedule: - - cron: '39 6 * * 1-5' - - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - -# For testing uncomment following lines: -# push: -# branches: -# - your_branch_name - -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=golang-version depName=go - go_version: 1.23.1 - test_name: perf-fqdn - cluster_name: ${{ github.run_id }}-${{ github.run_attempt }} - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - install-and-fqdn-perf-test: - runs-on: ubuntu-latest - name: Install and FQDN Perf Test - timeout-minutes: 60 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ] ; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - CILIUM_INSTALL_DEFAULTS="--chart-directory=install/kubernetes/cilium \ - --set pprof.enabled=true \ - --helm-set=prometheus.enabled=true \ - --helm-set=dnsProxy.proxyResponseMaxDelay=100s \ - --helm-set=cluster.name=${{ env.cluster_name }} \ - --wait=false" - - # only add SHA to the image tags if it was set - if [ -n "${SHA}" ]; then - echo sha=${SHA} >> $GITHUB_OUTPUT - CILIUM_INSTALL_DEFAULTS+=" --helm-set=image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - --helm-set=image.useDigest=false \ - --helm-set=image.tag=${SHA} \ - --helm-set=operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - --helm-set=operator.image.suffix=-ci \ - --helm-set=operator.image.tag=${SHA} \ - --helm-set=operator.image.useDigest=false \ - --helm-set=clustermesh.apiserver.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci \ - --helm-set=clustermesh.apiserver.image.tag=${SHA} \ - --helm-set=clustermesh.apiserver.image.useDigest=false \ - --helm-set=hubble.relay.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - --helm-set=hubble.relay.image.tag=${SHA} \ - --helm-set=hubble.relay.image.useDigest=false" - fi - - # Adding k8s.local to the end makes kops happy - # has stricter DNS naming requirements. - CLUSTER_NAME="${{ env.test_name }}-${{ env.cluster_name }}.k8s.local" - - echo SHA=${SHA} >> $GITHUB_OUTPUT - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo CLUSTER_NAME=${CLUSTER_NAME} >> $GITHUB_OUTPUT - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.SHA }} &> /dev/null; do sleep 45s; done - done - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version: ${{ env.go_version }} - - - name: Install Kops - uses: cilium/scale-tests-action/install-kops@746605acaf51e628ba5b8941d547c7cf32655358 # main - - - name: Setup gcloud credentials - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 - with: - workload_identity_provider: ${{ secrets.GCP_PERF_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PERF_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - version: "405.0.0" - - - name: Clone ClusterLoader2 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - repository: kubernetes/perf-tests - # Avoid using renovate to update this dependency because: (1) - # perf-tests does not tag or release, so renovate will pull - # all updates to the default branch and (2) continually - # updating CL2 may impact the stability of the scale test - # results. - ref: 6eb52ac89d5de15a0ad13cfeb2b2026e57ce4f64 - persist-credentials: false - sparse-checkout: clusterloader2 - path: perf-tests - - - name: Deploy cluster - id: deploy-cluster - uses: cilium/scale-tests-action/create-cluster@746605acaf51e628ba5b8941d547c7cf32655358 # main - timeout-minutes: 30 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - control_plane_size: n1-standard-4 - control_plane_count: 1 - node_size: e2-standard-8 - node_count: 2 - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ inputs.SHA || github.sha }} - - - name: Display version info of installed tools - run: | - echo "--- go ---" - go version - echo "--- cilium-cli ---" - cilium version --client - echo "--- kops ---" - ./kops version - echo "--- gcloud ---" - gcloud version - - - name: Setup firewall rules - uses: cilium/scale-tests-action/setup-firewall@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - - - name: Install Cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for cluster to be ready - uses: cilium/scale-tests-action/validate-cluster@746605acaf51e628ba5b8941d547c7cf32655358 # main - timeout-minutes: 20 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - - - name: Run CL2 - id: run-cl2 - working-directory: ./perf-tests/clusterloader2 - shell: bash - timeout-minutes: 30 - run: | - mkdir ./report - export CL2_PROMETHEUS_PVC_ENABLED=false - export CL2_PROMETHEUS_SCRAPE_CILIUM_OPERATOR=true - export CL2_PROMETHEUS_SCRAPE_CILIUM_AGENT=true - export CL2_ENABLE_DNSTESTS=true - - # CL2 needs ssh access to control plane nodes - gcloud compute config-ssh - - cp -r ../../.github/actions/cl2-modules/fqdn ./testing/ - - go run ./cmd/clusterloader.go \ - -v=2 \ - --testconfig=./testing/fqdn/config.yaml \ - --provider=gce \ - --enable-prometheus-server \ - --tear-down-prometheus-server=false \ - --report-dir=./report \ - --experimental-prometheus-snapshot-to-report-dir=true \ - --kubeconfig=$HOME/.kube/config \ - --testoverrides=./testing/prometheus/not-scrape-kube-proxy.yaml \ - 2>&1 | tee cl2-output.txt - - - name: Get sysdump - if: ${{ always() && steps.run-cl2.outcome != 'skipped' && steps.run-cl2.outcome != 'cancelled' }} - run: | - cilium status - cilium sysdump --output-filename cilium-sysdump-final - - - name: Cleanup cluster - if: ${{ always() && steps.deploy-cluster.outcome != 'skipped' }} - uses: cilium/scale-tests-action/cleanup-cluster@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Export results and sysdump to GS bucket - if: ${{ always() && steps.run-cl2.outcome != 'skipped' && steps.run-cl2.outcome != 'cancelled' }} - uses: cilium/scale-tests-action/export-results@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - test_name: ${{ env.test_name }} - results_bucket: ${{ env.GCP_PERF_RESULTS_BUCKET }} - artifacts: ./perf-tests/clusterloader2/report/* - other_files: cilium-sysdump-final.zip ./perf-tests/clusterloader2/cl2-output.txt - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: install-and-fqdn-perf-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.install-and-fqdn-perf-test.result }} diff --git a/.github/workflows/hubble-cli-integration-test.yaml b/.github/workflows/hubble-cli-integration-test.yaml deleted file mode 100644 index 5c816f10d553d..0000000000000 --- a/.github/workflows/hubble-cli-integration-test.yaml +++ /dev/null @@ -1,224 +0,0 @@ -name: Hubble CLI integration tests - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - kind_config: .github/kind-config.yaml - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - integration-test: - runs-on: ubuntu-latest - name: Hubble CLI Integration Test - timeout-minutes: 20 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set image tag - id: vars - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=hubble.relay.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - examples - - # Build hubble CLI before setting up the cluster and waiting on images to - # save time on failures. - - name: Setup go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version-file: 'go.mod' - - - name: Build hubble CLI - run: | - make -C hubble - ./hubble/hubble version - - # Setup the cluster - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 -C hubble - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.KIND_CONFIG }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Wait for hubble-relay to be running - run: | - kubectl -n kube-system rollout status deployment/hubble-relay - - - name: Run Hubble CLI integration test - timeout-minutes: 5 - run: | - set -ex - ./hubble/hubble --version - - kubectl -n kube-system port-forward service/hubble-relay 4245:80 & - # wait until the port-forward is running - until [ $(pgrep --count --full "kubectl.*port-forward.*service\/hubble-relay.*4245:80") -eq 1 ]; do - sleep 1 - done - - # give relay a little bit more time to actually connect to agent before running commands. - sleep 5 - - ./hubble/hubble status - - # query hubble until we receive flows, or timeout - flowCount=0 - until [ $flowCount -gt 0 ]; do - ./hubble/hubble observe -n kube-system -o jsonpb | tee flows.json - flowCount=$(jq -r --slurp 'length' flows.json) - sleep 5 - done - - # verify we got some flows - test $(jq -r --slurp 'length' flows.json) -gt 0 - # test piping flows into the CLI - test $(./hubble/hubble observe < flows.json -o json | jq -r --slurp 'length') -eq $(jq -r --slurp 'length' flows.json) - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdump-out-${{ matrix.conformance-profile }}-${{ matrix.crd-channel }} - path: cilium-sysdump-out-*.zip - retention-days: 5 - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: integration-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.integration-test.result }} diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml deleted file mode 100644 index f3b5cefa0c17a..0000000000000 --- a/.github/workflows/integration-test.yaml +++ /dev/null @@ -1,167 +0,0 @@ -name: Integration Tests (ci-integration) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - integration-test: - name: Integration Test - strategy: - fail-fast: false - matrix: - arch: ["${{ vars.GH_RUNNER_EXTRA_POWER }}", ubuntu-22.04-arm64] - runs-on: ${{ matrix.arch }} - timeout-minutes: 45 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Install Dependencies - shell: bash - run: | - sudo apt update && sudo apt install -y --no-install-recommends build-essential make libncurses5 - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Cleanup Disk space in runner - if: runner.name == 'ubuntu-latest' - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set image tag - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - - name: Set clang directory - id: set_clang_dir - run: echo "clang_dir=$HOME/.clang" >> $GITHUB_OUTPUT - - - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@e0a8dc9cb8a22e8a7696e8a91a4e9581bec13181 # v2.0.5 - with: - version: "17.0.6" - directory: ${{ steps.set_clang_dir.outputs.clang_dir }} - - - name: Prepare environment - timeout-minutes: 15 - run: | - go install github.com/mfridman/tparse@baf229e8494613f134bc0e1f4cb9dc9b12f66442 # v0.14.0 - - - name: Run integration tests - timeout-minutes: 60 - run: | - export V=0 - export DOCKER_BUILD_FLAGS=--quiet - export CFLAGS="-Werror" - make integration-tests - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: integration-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.integration-test.result }} diff --git a/.github/workflows/lint-bpf-checks.yaml b/.github/workflows/lint-bpf-checks.yaml deleted file mode 100644 index b2b50e45a1c82..0000000000000 --- a/.github/workflows/lint-bpf-checks.yaml +++ /dev/null @@ -1,120 +0,0 @@ -name: BPF Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - merge_group: - types: [checks_requested] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-latest - outputs: - bpf-tree: ${{ steps.changes.outputs.bpf-tree }} - coccinelle: ${{ steps.changes.outputs.coccinelle }} - bpf-tests-runner: ${{ steps.changes.outputs.bpf-tests-runner }} - workflow-description: ${{ steps.changes.outputs.workflow-description }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Check code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: changes - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - bpf-tree: - - 'bpf/**' - - 'images/**' - coccinelle: - - 'contrib/coccinelle/**' - bpf-tests-runner: - - 'bpf/tests/bpftest/**' - - 'pkg/bpf/**' - workflow-description: - - '.github/workflows/lint-bpf-checks.yaml' - - checkpatch: - name: Check Patch - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Run checkpatch.pl - run: | - make -C bpf checkpatch || (echo "Run 'make -C bpf checkpatch' locally to investigate reports"; exit 1) - - # Runs only if code under bpf/ or contrib/coccinnelle/ is changed. - coccicheck: - needs: check_changes - if: ${{ needs.check_changes.outputs.bpf-tree == 'true' || needs.check_changes.outputs.coccinelle == 'true' || needs.check_changes.outputs.workflow-description == 'true' }} - name: Run coccicheck - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Run coccicheck - uses: docker://cilium/coccicheck:2.4@sha256:24abe3fbb8e829fa41a68a3b76cb4df84fd5a87a7d1d6254c1c1fe5effb5bd1b - with: - entrypoint: ./contrib/coccinelle/check-cocci.sh - # Note: Setting COCCINELLE_HOME can be removed, here and in the - # messages in the .cocci files, next time we upgrade coccinelle. - # The issue was fixed, after v1.1.1 that we're using, in - # https://gitlab.inria.fr/coccinelle/coccinelle/-/commit/540888ff426e. - env: - COCCINELLE_HOME: /usr/local/lib/coccinelle - - # Runs only if code under bpf/ is changed. - build_all: - needs: [check_changes] - if: ${{ needs.check_changes.outputs.bpf-tree == 'true' || needs.check_changes.outputs.workflow-description == 'true' }} - name: Build Datapath - runs-on: ubuntu-22.04 - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Build all BPF datapath permutations - env: - V: 0 - run: | - contrib/scripts/builder.sh make --quiet -C bpf build_all -j $(nproc) || (echo "Run 'make -C bpf build_all' locally to investigate build breakages"; exit 1) - - bpf_tests: - needs: [check_changes] - if: ${{ needs.check_changes.outputs.bpf-tree == 'true' || needs.check_changes.outputs.bpf-tests-runner == 'true' || needs.check_changes.outputs.workflow-description == 'true' }} - name: BPF unit/integration Tests - runs-on: ubuntu-22.04 - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Run BPF tests - run: | - make run_bpf_tests || (echo "Run 'make run_bpf_tests' locally to investigate failures"; exit 1) diff --git a/.github/workflows/lint-codeowners.yaml b/.github/workflows/lint-codeowners.yaml deleted file mode 100644 index c0fd4821dd966..0000000000000 --- a/.github/workflows/lint-codeowners.yaml +++ /dev/null @@ -1,129 +0,0 @@ -name: CODEOWNERS Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - branches: - - main - - ft/main/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-latest - outputs: - added-files: ${{ steps.changes.outputs.added-files }} - deleted-files: ${{ steps.changes.outputs.deleted-files }} - codeowners-changed: ${{ steps.changes.outputs.codeowners-changed }} - steps: - - name: Check code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: changes - with: - filters: | - added-files: - - added: '**' - deleted-files: - - deleted: '**' - codeowners-changed: - - 'CODEOWNERS' - - '.github/workflows/lint-codeowners.yaml' - - codeowners: - needs: check_changes - if: ${{ needs.check_changes.outputs.codeowners-changed == 'true' || needs.check_changes.outputs.added-files == 'true' || needs.check_changes.outputs.deleted-files == 'true' }} - name: Check CODEOWNERS consistency - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # Hard-code the path instead of using ${{ github.repository }} - # to make sure it works for forked repo as well. - path: src/github.com/cilium/cilium - - - name: Check if all files have attributed code owners - if: ${{ needs.check_changes.outputs.codeowners-changed == 'true' || needs.check_changes.outputs.added-files == 'true' }} - run: | - # CODEOWNERS patterns follows nearly the same syntax as a .gitignore. - # To check if all files are covered by patterns other than the - # catch-all '*', we turn the file into a .gitignore and list - # unmatched files. - cd src/github.com/cilium/cilium - # Copy all patterns from CODEOWNERS, but skipping the comments - # ('^[^#]') and the catch-all '*' rule (the only one with a single - # character, we skip it with '^.[^ ]'). - awk '/^[^#][^ ]/ {print $1}' CODEOWNERS > .gitignore - # Reinitialize the repo and list all files NOT covered by .gitignore. - rm -rf .git - git init -q - if [[ -n "$(git ls-files --others -X .gitignore)" ]]; then - echo '::error title=missing_code_owners::Following files have no owners in CODEOWNERS:' - git ls-files --others -X .gitignore - exit 1 - fi - - - name: Check if CODEOWNERS has stale entries - if: ${{ needs.check_changes.outputs.codeowners-changed == 'true' || needs.check_changes.outputs.deleted-files == 'true' }} - run: | - cd src/github.com/cilium/cilium - EXIT_STATUS=0 - # We go through the patterns in CODEOWNERS, and for each of them we - # search for corresponding files in the repo. - while read l; do - case "${l}" in - /*) - # The pattern should match from the root of the repo, - # we'll use 'ls'. For now, just append pattern to $LIST. - LIST+=" ${l#/}" - ;; - *) - # No leading slash: may not be at the root of the repo, - # search with 'find'. Print pattern if no file found. - if [[ -z $(find . -path "*${l}*" -print -quit) ]]; then - echo "${l}" - EXIT_STATUS=1 - fi - ;; - esac - done <<< $(awk '/^[^#][^ ]/ {print $1}' CODEOWNERS) - # Just one final call to 'ls' with all /* patterns found. Catch - # patterns with no corresponding files/directories from stderr. - STALE_PATTERNS="$(ls -- ${LIST} 2>&1 >/dev/null | sed "s|.*'\(.*\)':.*|/\1|")" - if [[ -n "${STALE_PATTERNS}" ]]; then - echo "${STALE_PATTERNS}" | sed 's/ /\n/g' - EXIT_STATUS=1 - fi - if [[ ${EXIT_STATUS} -ne 0 ]]; then - echo '::error title=stale_patterns::The patterns above should be removed from CODEOWNERS.' - exit ${EXIT_STATUS} - fi - - - name: Check if all teams in CODEOWNERS rules are documented in the file - if: ${{ needs.check_changes.outputs.codeowners-changed == 'true' }} - run: | - EXIT_STATUS=0 - # List all teams used in CODEOWNERS rules: discard comments and empty - # lines, discard lines with no team assigned (with no space in it), - # then discard the first field (pattern to match) for the remaining - # rules, split the list of teams by replacing spaces with line - # breaks, sort the results. Then grep for each team name among - # CODEOWNERS's comments. - cd src/github.com/cilium/cilium - for team in $(sed -e '/^\(#\|$\)/d' -e '/^[^ ]*$/d' -e 's/^[^ #]\+ //' -e 's/ /\n/g' CODEOWNERS | sort -u); do - if ! grep -q "^#[^@]*${team}" CODEOWNERS; then - echo "${team}"; - EXIT_STATUS=1 - fi; - done - if [[ ${EXIT_STATUS} -ne 0 ]]; then - echo '::error title=missing_team::The teams above are not documented in CODEOWNERS. Typo?' - exit ${EXIT_STATUS} - fi diff --git a/.github/workflows/lint-go.yaml b/.github/workflows/lint-go.yaml deleted file mode 100644 index 1d088fd29228a..0000000000000 --- a/.github/workflows/lint-go.yaml +++ /dev/null @@ -1,143 +0,0 @@ -name: Go Related Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - # Add this workflow to be triggered by merge queue events - merge_group: - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -jobs: - go-mod: - name: Check Go Modules - runs-on: ubuntu-latest - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Check module vendoring - run: | - go mod tidy - go mod vendor - test -z "$(git status --porcelain)" || (echo "please run 'go mod tidy && go mod vendor', and submit your changes"; exit 1) - - license-check: - name: Check third party dependencies licenses - runs-on: ubuntu-latest - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Check for unauthorized dependencies - run: go run ./tools/licensecheck ./... 2>/dev/null - - golangci: - name: Lint Source Code - runs-on: ubuntu-latest - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Run golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 - with: - # renovate: datasource=docker depName=golangci/golangci-lint - version: v1.61.0 - skip-cache: true - args: "--out-${NO_FUTURE}format colored-line-number --verbose --modules-download-mode=vendor" - - precheck: - runs-on: ubuntu-latest - name: Precheck - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - name: Go code prechecks - run: | - cd src/github.com/cilium/cilium - make precheck - - generate-api: - runs-on: ubuntu-latest - name: Generate API - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - name: Check api generated files - run: | - cd src/github.com/cilium/cilium - contrib/scripts/check-api-code-gen.sh - - generate-k8s-api: - runs-on: ubuntu-latest - name: Generate k8s API - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - name: Check k8s generated files - run: | - # Set GOBIN to ensure 'go install' binaries end up in the same directory - # as the one actions/setup-go adds to PATH, regardless of GOPATH. - export GOBIN="$HOME/go/bin" - - cd src/github.com/cilium/cilium - contrib/scripts/check-k8s-code-gen.sh diff --git a/.github/workflows/lint-images-base.yaml b/.github/workflows/lint-images-base.yaml deleted file mode 100644 index 1e93debaf136e..0000000000000 --- a/.github/workflows/lint-images-base.yaml +++ /dev/null @@ -1,44 +0,0 @@ -name: Base Image Lint - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - types: - - opened - - synchronize - - reopened - push: - branches: - - main - - ft/main/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - lint: - name: Lint image build logic - runs-on: ubuntu-22.04 - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - uses: docker://quay.io/cilium/image-maker:7de7f1c855ce063bdbe57fdfb28599a3ad5ec8f1@sha256:dde8500cbfbb6c41433d376fdfcb3831e2df9cec50cf4f49e8553dc6eba74e72 - name: Run make lint - with: - entrypoint: make - args: -C images lint - - - uses: docker://quay.io/cilium/image-maker:7de7f1c855ce063bdbe57fdfb28599a3ad5ec8f1@sha256:dde8500cbfbb6c41433d376fdfcb3831e2df9cec50cf4f49e8553dc6eba74e72 - name: Check if runtime and builder images are up-to-date - with: - entrypoint: make - args: -C images check-runtime-image check-builder-image - - - name: Check Cilium Envoy image - run: make -C images check-envoy-image diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml deleted file mode 100644 index 83fef5d937ce8..0000000000000 --- a/.github/workflows/lint-workflows.yaml +++ /dev/null @@ -1,266 +0,0 @@ -name: GitHub Workflow Related Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - ginkgo-workflow-comments: - name: Lint Ginkgo Workflows Comments - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - # Load Ginkgo build from GitHub - - name: Load ginkgo linter from GH cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-linter-${{ hashFiles('src/github.com/cilium/cilium/**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - cache-dependency-path: "src/github.com/cilium/cilium/*.sum" - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Building Ginkgo Linter Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium - git apply contrib/testing/ginkgo-get-all-test-names.patch - - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Linter Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Copy Ginkgo binary - if: ${{ steps.cache.outputs.cache-hit == 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium/test/ - tar -xf /tmp/.ginkgo-build/test.tgz - - - name: Reading Comments From Workflows - shell: bash - run: | - cd src/github.com/cilium/cilium - - grep '# K8s' .github/actions/ginkgo/main-focus.yaml | \ - sed -e 's/^[[:space:]]\+# //g' | \ - sort -u > /tmp/ginkgo-workflow-comments.txt - - grep '# Runtime' .github/workflows/conformance-runtime.yaml | \ - sed -e 's/^[[:space:]]\+# //g' | \ - sort -u > /tmp/runtime-workflow-comments.txt - - - name: Getting test runs output - shell: bash - run: | - cd src/github.com/cilium/cilium/test - - ./test.test -ginkgo.failFast -ginkgo.dryRun -- --cilium.testScope=K8s | \ - grep TestRun | \ - grep -v 'TestRun\[Top Level\] Runtime' | \ - sed 's/TestRun\[Top Level\]\ //g' | \ - sort -u > /tmp/ginkgo-tests.txt - - ./test.test -ginkgo.failFast -ginkgo.dryRun -- --cilium.testScope=Runtime | \ - grep TestRun | \ - grep -v 'TestRun\[Top Level\] K8s' | \ - sed 's/TestRun\[Top Level\]\ //g' | \ - sort -u > /tmp/runtime-tests.txt - - - name: Checking diff Ginkgo Workflow - shell: bash - run: | - diff /tmp/ginkgo-workflow-comments.txt /tmp/ginkgo-tests.txt --suppress-common-lines - - if [ $? -ne 0 ]; then - echo "" - echo "Ginkgo tests out of sync with comments from GH workflow:" - echo "$diff" - echo "Please fix the comments from .github/actions/ginkgo/main-focus.yaml accordingly" - echo "" - exit 1 - fi - - - name: Checking diff Runtime Workflow - shell: bash - run: | - diff /tmp/runtime-workflow-comments.txt /tmp/runtime-tests.txt --suppress-common-lines - - if [ $? -ne 0 ]; then - echo "" - echo "Ginkgo tests out of sync with comments from GH workflow:" - echo "$diff" - echo "" - echo "Please fix the comments from .github/workflows/conformance-runtime.yaml accordingly" - exit 1 - fi - - ginkgo-schema-validation: - name: Validate Ginkgo Schema - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: '3.10' - - name: Install yamela - run: pip install yamale - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - - name: Validate schema of ginkgo action files - shell: bash - run: | - cd src/github.com/cilium/cilium/.github/actions/ginkgo/ - for type in focus k8s-versions prs scheduled; do - yamale -s ${type}-schema.yaml *-${type}.yaml; - done - - conformance-schema-validation: - name: Validate k8s Versions Schema - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: '3.10' - - name: Install yamela - run: pip install yamale - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - - name: Validate schema of aws, azure and gke action files - shell: bash - run: | - for dir in aws azure gke;do - dir_base=".github/actions/${dir}" - file_base="${dir_base}/k8s-versions" - if [ -f ${file_base}.yaml ];then - yamale -s ${file_base}-schema.yaml ${file_base}.yaml; - fi - if [ -f ${dir_base}/test-config-schema.yaml ];then - yamale -s ${dir_base}/test-config-schema.yaml ${dir_base}/test-config-classic.yaml - yamale -s ${dir_base}/test-config-schema.yaml ${dir_base}/test-config-helm.yaml - fi - done - - name-validation: - name: Validate Workflow Names - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - - name: Validate Job and Step names - shell: bash - run: | - EXIT=0 - cd src/github.com/cilium/cilium/.github/workflows - for FILE in *.yaml;do - JOBS=$(yq '.jobs | to_entries | .[] | select(.value.name == null) | " " + .key' $FILE) - STEPS=$(yq '.jobs | to_entries | .[] as $job | $job.value.steps[] | {"key": $job.key, "name": .name} | select(.name == null) | " "+.key' $FILE) - if [ "${JOBS}" != "" ];then - echo Jobs are missing name field, in file $FILE - echo "${JOBS}" | awk '{for (i=1; i<=NF; i++) print " " $i}' - EXIT=1 - fi - if [ "${STEPS}" != "" ];then - echo Steps are missing name field, under these Jobs in file $FILE - echo "${STEPS}" | awk '{for (i=1; i<=NF; i++) print " " $i}' - EXIT=1 - fi - done - exit ${EXIT} - - - name: Validate Commit Status Start Job - shell: bash - run: | - EXIT=0 - cd src/github.com/cilium/cilium/.github/workflows - for FILE in *.yaml; do - # we only care about workflows that has ariane workflow_dispatch events - IS_ARIANE_DISPATCH=$(yq '.on.workflow_dispatch.inputs.PR-number' $FILE) - if [ "$IS_ARIANE_DISPATCH" == "null" ]; then - continue - fi - JOB=$(yq '.jobs | to_entries | .[] | select(.key == "commit-status-start")' $FILE) - if [ "$JOB" == "" ]; then - echo "commit-status-start job is missing in file $FILE" - EXIT=1 - fi - JOB_NAME=$(echo "${JOB}" | yq '.value.name') - if [ "$JOB_NAME" != "Commit Status Start" ]; then - echo "commit-status-start job name must be set as 'Commit Status Start' in file $FILE" - EXIT=1 - fi - done - exit ${EXIT} - - - name: Validate Absence of Trailing Spaces - shell: bash - working-directory: src/github.com/cilium/cilium/ - run: | - if grep --quiet --recursive '[[:blank:]]$' .github; then - echo "Found trailing spaces in the following workflow files" - grep --files-with-matches --recursive '[[:blank:]]$' .github - echo - echo "Please run:" - echo " find .github -type f -exec sed -ri 's/[[:blank:]]+$//' {} \;" - echo "and submit your changes" - exit 1 - fi diff --git a/.github/workflows/needs-more-info.yaml b/.github/workflows/needs-more-info.yaml deleted file mode 100644 index 36ef29ad73715..0000000000000 --- a/.github/workflows/needs-more-info.yaml +++ /dev/null @@ -1,18 +0,0 @@ -name: Issue Info Complete - -# This workflow is triggered on issue comments. -on: - issue_comment: - types: created - -jobs: - applyNeedsAttentionLabel: - name: Apply Info Complete Label - runs-on: ubuntu-latest - steps: - - name: Apply Needs Attention Label - uses: hramos/needs-attention@d0eaa7f961c04d4da86466b1176b56e0d4089022 # v2.0.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - response-required-label: 'need-more-info' - needs-attention-label: 'info-completed' diff --git a/.github/workflows/net-perf-gke.yaml b/.github/workflows/net-perf-gke.yaml deleted file mode 100644 index 48578286726d5..0000000000000 --- a/.github/workflows/net-perf-gke.yaml +++ /dev/null @@ -1,356 +0,0 @@ -name: Network performance GKE (net-perf-gke) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - schedule: - - cron: '39 0 * * 1-5' - - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - -# For testing uncomment following lines: -# push: -# branches: -# - your_branch_name - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - test_name: gke-perf - USE_GKE_GCLOUD_AUTH_PLUGIN: True - gcp_zone: us-east5-a - k8s_version: 1.28 - # renovate: datasource=docker depName=google/cloud-sdk - gcloud_version: 492.0.0 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - installation-and-perf: - name: Installation and Perf Test - runs-on: ubuntu-latest - timeout-minutes: 60 - env: - job_name: "Installation and Perf Test" - strategy: - fail-fast: false - matrix: - include: - - index: 1 - name: "native" - mode: "gke" - encryption: "none" - hubble: "false" - - - index: 2 - name: "tunnel" - mode: "tunnel" - encryption: "none" - hubble: "false" - - - index: 3 - name: "native-ipsec" - mode: "gke" - encryption: "ipsec" - hubble: "false" - - - index: 4 - name: "tunnel-ipsec" - mode: "tunnel" - encryption: "ipsec" - hubble: "false" - - - index: 5 - name: "native-wireguard" - mode: "gke" - encryption: "wireguard" - hubble: "false" - - - index: 6 - name: "tunnel-wireguard" - mode: "tunnel" - encryption: "wireguard" - hubble: "false" - - - index: 7 - name: "native-hubble" - mode: "gke" - encryption: "none" - hubble: "true" - - - index: 8 - name: "tunnel-hubble" - mode: "tunnel" - encryption: "none" - hubble: "true" - - - index: 9 - name: "native-ipsec-hubble" - mode: "gke" - encryption: "ipsec" - hubble: "true" - - - index: 10 - name: "tunnel-ipsec-hubble" - mode: "tunnel" - encryption: "ipsec" - hubble: "true" - - - index: 11 - name: "native-wireguard-hubble" - mode: "gke" - encryption: "wireguard" - hubble: "true" - - - index: 12 - name: "tunnel-wireguard-hubble" - mode: "tunnel" - encryption: "wireguard" - hubble: "true" - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ] || [ ${{ github.event.pull_request }} ] ; then - SHA="${{ inputs.SHA }}" - OWNER="${{ inputs.PR-number }}" - else - SHA="${{ github.sha }}" - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - CILIUM_INSTALL_DEFAULTS="--chart-directory=install/kubernetes/cilium \ - --helm-set=cluster.name=${{ env.clusterName }}-${{ matrix.index }} \ - --helm-set=agentNotReadyTaintKey=ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready \ - --helm-set=debug.enabled=false \ - --helm-set=bpf.monitorAggregation=maximum \ - --helm-set=hubble.enabled=${{ matrix.hubble == 'true' }} \ - --wait=false" - - # only add SHA to the image tags if it was set - if [ -n "${SHA}" ]; then - echo sha=${SHA} >> $GITHUB_OUTPUT - CILIUM_INSTALL_DEFAULTS+=" --helm-set=image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - --helm-set=image.useDigest=false \ - --helm-set=image.tag=${SHA} \ - --helm-set=operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - --helm-set=operator.image.suffix=-ci \ - --helm-set=operator.image.tag=${SHA} \ - --helm-set=operator.image.useDigest=false \ - --helm-set=clustermesh.apiserver.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci \ - --helm-set=clustermesh.apiserver.image.tag=${SHA} \ - --helm-set=clustermesh.apiserver.image.useDigest=false \ - --helm-set=hubble.relay.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - --helm-set=hubble.relay.image.tag=${SHA} \ - --helm-set=hubble.relay.image.useDigest=false" - fi - - CILIUM_INSTALL_DEFAULTS+=" --datapath-mode=${{ matrix.mode }}" - - if [ "${{ matrix.encryption }}" = "ipsec" ] ; then - CILIUM_INSTALL_DEFAULTS+=" --helm-set=encryption.enabled=true --helm-set=encryption.type=ipsec" - fi - - if [ "${{ matrix.encryption }}" = "wireguard" ] ; then - CILIUM_INSTALL_DEFAULTS+=" --helm-set=encryption.enabled=true --helm-set=encryption.type=wireguard" - fi - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 - with: - workload_identity_provider: ${{ secrets.GCP_PERF_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PERF_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Install gke-gcloud-auth-plugin - run: | - gcloud components install gke-gcloud-auth-plugin - - - name: Display gcloud CLI info - run: | - gcloud info - - - name: Create GKE cluster - run: | - gcloud container clusters create ${{ env.clusterName }}-${{ matrix.index }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ env.gcp_zone }} \ - --cluster-version ${{ env.k8s_version }} \ - --enable-ip-alias \ - --create-subnetwork="range=/26" \ - --cluster-ipv4-cidr="/21" \ - --services-ipv4-cidr="/24" \ - --image-type COS_CONTAINERD \ - --num-nodes 2 \ - --machine-type n2-standard-2 \ - --disk-type pd-standard \ - --disk-size 20GB \ - --node-taints ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready=true:NoExecute - - - name: Get cluster credentials - run: | - gcloud container clusters get-credentials ${{ env.clusterName }}-${{ matrix.index }} --zone ${{ env.gcp_zone }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Create custom IPsec secret - if: ${{ matrix.encryption == 'ipsec' }} - run: | - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="15 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - - name: Install Cilium - id: install-cilium - run: | - cilium install --dry-run-helm-values ${{ steps.vars.outputs.cilium_install_defaults }} - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait --wait-duration=10m - kubectl get pods -n kube-system - kubectl -n kube-system exec daemonset/cilium -- cilium-dbg status - - - name: Run perf test (${{ matrix.name }}) - id: run-perf - run: | - mkdir output - cilium connectivity perf --duration=30s --host-net=true --pod-net=true --report-dir=./output - sudo chmod -R +r ./output - - - name: Get sysdump - if: ${{ always() && steps.run-perf.outcome != 'skipped' && steps.run-perf.outcome != 'cancelled' }} - run: | - cilium status - cilium sysdump --output-filename cilium-sysdump-final - sudo chmod +r cilium-sysdump-final.zip - - - name: Clean up GKE - if: ${{ always() }} - run: | - while [ "$(gcloud container operations list --zone ${{ env.gcp_zone }} --filter="status=RUNNING AND targetLink~${{ env.clusterName }}-${{ matrix.index }}" --format="value(name)")" ];do - echo "cluster has an ongoing operation, waiting for all operations to finish"; sleep 15 - done - gcloud container clusters delete ${{ env.clusterName }}-${{ matrix.index }} --zone ${{ env.gcp_zone }} --quiet --async - shell: bash {0} # Disable default fail-fast behavior so that all commands run independently - - - name: Export results and sysdump to GS bucket - if: ${{ always() && steps.run-perf.outcome != 'skipped' && steps.run-perf.outcome != 'cancelled' }} - uses: cilium/scale-tests-action/export-results@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - test_name: ${{ env.test_name }}-${{ matrix.name }} - results_bucket: ${{ env.GCP_PERF_RESULTS_BUCKET }} - artifacts: ./output/* - other_files: cilium-sysdump-final.zip - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-perf - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-perf.result }} diff --git a/.github/workflows/push-chart-ci.yaml b/.github/workflows/push-chart-ci.yaml deleted file mode 100644 index 626a513ad1900..0000000000000 --- a/.github/workflows/push-chart-ci.yaml +++ /dev/null @@ -1,173 +0,0 @@ -name: Chart CI Push - -on: - # run after the image build completes - workflow_run: - workflows: - - Image CI Build - - Hot Fix Image Release Build - types: - - completed - # allow manually triggering it as well, for existing refs - workflow_dispatch: - inputs: - checkout_ref: - description: 'Git ref to build. This needs to be a full commit SHA.' - required: true - - # To test: uncomment this and update it to your branch name and push to the branch. - # push: - # branches: - # - ft/main/ - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - group: | - ${{ github.workflow }}-${{ github.event_name }}-${{ - (github.event_name == 'workflow_dispatch' && inputs.checkout_ref) || - (github.event_name == 'workflow_run' && github.event.workflow_run.head_sha) - }} - cancel-in-progress: true - -jobs: - push-charts: - name: Push Charts - runs-on: ubuntu-22.04 - # we also check for push events in case someone is testing the workflow by uncommenting the push trigger above. - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' || github.event_name == 'push' }} - steps: - - name: Checkout GitHub main - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get triggering event ref - id: get-ref - run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - echo ref="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT - echo sha="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT - elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then - if [[ "${{ github.event.workflow_run.head_repository.fork }}" == "true" ]]; then - # use the SHA on forks since the head_branch won't exist in the upstream repository - echo ref="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT - else - echo ref="${{ github.event.workflow_run.head_branch }}" >> $GITHUB_OUTPUT - fi - echo sha="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT - elif [[ "${{ github.event_name }}" == "push" ]]; then - echo ref="${{ github.ref }}" >> $GITHUB_OUTPUT - echo sha="${{ github.sha }}" >> $GITHUB_OUTPUT - else - echo "Invalid event type" - exit 1 - fi - - - name: Set commit status to pending - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: pending - description: Helm push in progress - - - name: Checkout Source Code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # checkout ref not SHA so we can get useful branch names (see previous comments) - ref: ${{ steps.get-ref.outputs.ref }} - # required for git describe - fetch-depth: 0 - - name: Get version - id: get-version - run: | - set -o pipefail - set -e - if [[ -f ./contrib/scripts/print-chart-version.sh ]]; then - echo "chart_version=$(./contrib/scripts/print-chart-version.sh)" | tee -a $GITHUB_OUTPUT - else - echo "./contrib/scripts/print-chart-version.sh missing. Perhaps it needs to be backported to your target branch?" - exit 1 - fi - - - name: Push charts - uses: cilium/reusable-workflows/.github/actions/push-helm-chart@6ae27958f2f37545bf48e44106b73df05b1f6d12 # v0.1.0 - with: - name: cilium - path: install/kubernetes/cilium - version: ${{ steps.get-version.outputs.chart_version }} - values_file_changes: | - { - - "image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci", - "image.tag": "${{ steps.get-ref.outputs.sha }}", - "image.digest": "", - "image.useDigest": false, - "preflight.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci", - "preflight.image.tag": "${{ steps.get-ref.outputs.sha }}", - "preflight.image.digest": "", - "preflight.image.useDigest": false, - "operator.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator", - "operator.image.suffix": "-ci", - "operator.image.genericDigest": "", - "operator.image.azureDigest": "", - "operator.image.awsDigest": "", - "operator.image.alibabacloudDigest": "", - "operator.image.useDigest": false, - "operator.image.tag": "${{ steps.get-ref.outputs.sha }}", - "hubble.relay.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci", - "hubble.relay.image.tag": "${{ steps.get-ref.outputs.sha }}", - "hubble.relay.image.digest": "", - "hubble.relay.image.useDigest": false, - "clustermesh.apiserver.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci", - "clustermesh.apiserver.image.tag": "${{ steps.get-ref.outputs.sha }}", - "clustermesh.apiserver.image.digest": "", - "clustermesh.apiserver.image.useDigest": false - } - registry: quay.io - registry_namespace: ${{ env.QUAY_CHARTS_ORGANIZATION_DEV }} - registry_username: ${{ secrets.QUAY_CHARTS_DEV_USERNAME }} - registry_password: ${{ secrets.QUAY_CHARTS_DEV_PASSWORD }} - - - name: Print helm command - run: | - echo "Example commands:" - echo helm template -n kube-system oci://quay.io/${{ env.QUAY_CHARTS_ORGANIZATION_DEV }}/cilium --version ${{ steps.get-version.outputs.chart_version }} - echo helm install cilium -n kube-system oci://quay.io/${{ env.QUAY_CHARTS_ORGANIZATION_DEV }}/cilium --version ${{ steps.get-version.outputs.chart_version }} - - - name: Set commit status to success - if: ${{ success() }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: success - description: Helm push successful - - - name: Set commit status to failure - if: ${{ failure() }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: failure - description: Helm push failed - - - name: Set commit status to cancelled - if: ${{ cancelled() }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: error - description: Helm push cancelled diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index 169edb38bf5d5..0000000000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,93 +0,0 @@ -name: Release Tool - -on: - workflow_dispatch: - inputs: - step: - description: 'Which step do you want to (re-)run?' - required: true - type: choice - options: - - 2-prepare-release - - 4-post-release - version: - description: 'Which version are you releasing? (e.g. vX.Y.Z[-(pre|rc).W])' - required: true - type: string - default: vX.Y.Z - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.inputs.version }} - cancel-in-progress: true - -jobs: - release: - name: Release - environment: release-tool - timeout-minutes: 40 - runs-on: ubuntu-22.04 - steps: - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - - - name: Get token - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.CILIUM_RELEASE_BOT_PEM }} - APP_ID: ${{ secrets.CILIUM_RELEASE_BOT_APP_ID }} - - - name: Authenticate with GH CLI - run: | - gh auth login --with-token <<< "${{ steps.get_token.outputs.app_token }}" - - - name: Checkout release tool - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - repository: cilium/release - path: "./release" - - - name: Move release source code to upper directory - run: mv release ../ - - - name: Checkout cilium source code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Build release tool - shell: bash - run: | - cd ../release - make - - - name: Set-up git - run: | - git config user.name "Cilium Release Bot" - git config user.email "noreply@cilium.io" - git remote set-url origin https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ github.repository }}.git - - - name: Run release tool - shell: bash - env: - GITHUB_TOKEN: "${{ steps.get_token.outputs.app_token }}" - ORG: "${{ github.repository_owner }}" - run: | - cd ../release - ./release start \ - --force \ - --release-tool-dir "$(pwd)" \ - --repo-dir "$(pwd)/../cilium" \ - --repo ${{ github.repository }} \ - --target-version ${{ github.event.inputs.version }} \ - --steps ${{ github.event.inputs.step }} diff --git a/.github/workflows/renovate-config-validator.yaml b/.github/workflows/renovate-config-validator.yaml deleted file mode 100644 index 3fe063403fedf..0000000000000 --- a/.github/workflows/renovate-config-validator.yaml +++ /dev/null @@ -1,21 +0,0 @@ -name: Validate Renovate configuration - -on: - pull_request: - paths: - - '.github/renovate.json5' - -jobs: - validate: - name: Validate Renovate configuration - runs-on: ubuntu-latest - steps: - - name: Checkout configuration - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - # this step uses latest renovate slim release - - name: Validate configuration - run: > - docker run --rm --entrypoint "renovate-config-validator" - -v "${{ github.workspace }}/.github/renovate.json5":"/renovate.json5" - renovate/renovate:slim "/renovate.json5" diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml deleted file mode 100644 index d4c90e97d3c56..0000000000000 --- a/.github/workflows/renovate.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: Renovate -on: - schedule: - # Running every hour every working day (Monday to Friday) - - cron: '0 * * * 1-5' - # Running every two hours on weekends (Saturday and Sunday) - - cron: '0 */2 * * 6,0' - # allow to manually trigger this workflow - workflow_dispatch: - inputs: - renovate_log_level_debug: - type: boolean - description: "Rune Renovate With Debug Log Levels" - default: true - -jobs: - renovate: - name: Run self-hosted Renovate - runs-on: ubuntu-latest - steps: - # we need special permission to be able to operate renovate (view, list, - # create issues, PR, etc.) and we use a GitHub application with fine - # grained permissions installed in the repository for that. - - name: Get token - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.CILIUM_RENOVATE_PEM }} - APP_ID: ${{ secrets.CILIUM_RENOVATE_APP_ID }} - - # renovate clones the repository again in its container fs but it needs - # the renovate configuration to start. - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Self-hosted Renovate - uses: renovatebot/github-action@dd4d265eb8646cd04fc5f86ff8bc8d496d75a251 # v40.2.8 - env: - # default to DEBUG log level, this is always useful - LOG_LEVEL: ${{ github.event.inputs.renovate_log_level_debug == 'false' && 'INFO' || 'DEBUG' }} - with: - # renovate: datasource=github-releases depName=renovatebot/renovate - renovate-version: 38.80.0 - docker-user: root - docker-cmd-file: .github/actions/renovate/entrypoint.sh - configurationFile: .github/renovate.json5 - token: '${{ steps.get_token.outputs.app_token }}' - mount-docker-socket: true diff --git a/.github/workflows/scale-test-100-gce.yaml b/.github/workflows/scale-test-100-gce.yaml deleted file mode 100644 index 9d2e0b54b895a..0000000000000 --- a/.github/workflows/scale-test-100-gce.yaml +++ /dev/null @@ -1,372 +0,0 @@ -name: 100 Nodes Scale Test (scale-100) - -on: - schedule: - - cron: '39 0 * * 1-5' - - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - -# For testing uncomment following lines: -# push: -# branches: -# - your_branch_name - -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=golang-version depName=go - go_version: 1.23.1 - # Adding k8s.local to the end makes kops happy- - # has stricter DNS naming requirements. - test_name: scale-100 - cluster_name: ${{ github.run_id }}-${{ github.run_attempt }} - # renovate: datasource=docker depName=google/cloud-sdk - gcloud_version: 492.0.0 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - install-and-scaletest: - runs-on: ubuntu-latest - name: Install and Scale Test - timeout-minutes: 150 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ] ; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - # Adding k8s.local to the end makes kops happy - # has stricter DNS naming requirements. - CLUSTER_NAME="${{ env.test_name }}-${{ env.cluster_name }}.k8s.local" - - CILIUM_INSTALL_DEFAULTS="--chart-directory=install/kubernetes/cilium \ - --set pprof.enabled=true \ - --helm-set=prometheus.enabled=true \ - --helm-set=cluster.name=${{ env.cluster_name }} \ - --helm-set=k8sServiceHost=api.internal.${CLUSTER_NAME} \ - --helm-set=k8sServicePort=443 \ - --helm-set=kubeProxyReplacement=true \ - --helm-set=operator.replicas=1 \ - --wait=false" - - # only add SHA to the image tags if it was set - if [ -n "${SHA}" ]; then - echo sha=${SHA} >> $GITHUB_OUTPUT - CILIUM_INSTALL_DEFAULTS+=" --helm-set=image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - --helm-set=image.useDigest=false \ - --helm-set=image.tag=${SHA} \ - --helm-set=operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - --helm-set=operator.image.suffix=-ci \ - --helm-set=operator.image.tag=${SHA} \ - --helm-set=operator.image.useDigest=false \ - --helm-set=clustermesh.apiserver.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci \ - --helm-set=clustermesh.apiserver.image.tag=${SHA} \ - --helm-set=clustermesh.apiserver.image.useDigest=false \ - --helm-set=hubble.relay.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - --helm-set=hubble.relay.image.tag=${SHA} \ - --helm-set=hubble.relay.image.useDigest=false" - fi - - echo SHA=${SHA} >> $GITHUB_OUTPUT - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo CLUSTER_NAME=${CLUSTER_NAME} >> $GITHUB_OUTPUT - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.SHA }} &> /dev/null; do sleep 45s; done - done - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version: ${{ env.go_version }} - - - name: Install Kops - uses: cilium/scale-tests-action/install-kops@4689ca99d3e860339e439006ff7a26d8f6a86e09 # main - - - name: Setup gcloud credentials - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 - with: - workload_identity_provider: ${{ secrets.GCP_PERF_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PERF_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Clone ClusterLoader2 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - repository: kubernetes/perf-tests - # Avoid using renovate to update this dependency because: (1) - # perf-tests does not tag or release, so renovate will pull - # all updates to the default branch and (2) continually - # updating CL2 may impact the stability of the scale test - # results. - ref: 6eb52ac89d5de15a0ad13cfeb2b2026e57ce4f64 - persist-credentials: false - sparse-checkout: clusterloader2 - path: perf-tests - - - name: Setup CL2 - run: | - # CL2 needs ssh access to control plane nodes - gcloud compute config-ssh - - # Copy the custom configs to the folder where CL2 expects them. - cp -r .github/actions/cl2-modules ./perf-tests/clusterloader2/testing/custom - - cd ./perf-tests/clusterloader2 - - # CL2 hardcodes module paths to live in ./testing/load, even - # if the path given is relative. - cp ../../.github/actions/cl2-modules/cilium-agent-pprofs.yaml ./testing/load/ - cp ../../.github/actions/cl2-modules/cilium-metrics.yaml ./testing/load/ - echo \ - '{"CL2_ADDITIONAL_MEASUREMENT_MODULES": ["./cilium-agent-pprofs.yaml", "./cilium-metrics.yaml"]}' \ - > modules.yaml - - go build ./cmd/clusterloader.go - - - name: Deploy cluster - id: deploy-cluster - uses: cilium/scale-tests-action/create-cluster@4689ca99d3e860339e439006ff7a26d8f6a86e09 # main - timeout-minutes: 30 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - control_plane_size: n1-standard-8 - control_plane_count: 1 - node_size: e2-standard-8 - node_count: 1 - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - kube_proxy_enabled: false - - - name: Setup firewall rules - uses: cilium/scale-tests-action/setup-firewall@4689ca99d3e860339e439006ff7a26d8f6a86e09 # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ inputs.SHA || github.sha }} - - - name: Display version info of installed tools - run: | - echo "--- go ---" - go version - echo "--- cilium-cli ---" - cilium version --client - echo "--- kops ---" - ./kops version - echo "--- gcloud ---" - gcloud version - - - name: Install Cilium - run: | - cilium install --dry-run-helm-values ${{ steps.vars.outputs.cilium_install_defaults }} - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for cluster to be ready - uses: cilium/scale-tests-action/validate-cluster@4689ca99d3e860339e439006ff7a26d8f6a86e09 # main - timeout-minutes: 20 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - interval: 10s - - - name: Run CL2 to setup prometheus - shell: bash - working-directory: ./perf-tests/clusterloader2 - env: - CL2_PROMETHEUS_PVC_ENABLED: "false" - CL2_PROMETHEUS_SCRAPE_CILIUM_OPERATOR: "true" - CL2_PROMETHEUS_SCRAPE_CILIUM_AGENT: "true" - CL2_PROMETHEUS_MEMORY_SCALE_FACTOR: 2.0 - timeout-minutes: 10 - run: | - # Don't run any tasks at this point, just setup the monitoring stack - ./clusterloader \ - -v=2 \ - --testconfig=./testing/custom/common/setup.yaml \ - --testoverrides=./testing/prometheus/not-scrape-kube-proxy.yaml \ - --provider=gce \ - --enable-exec-service=false \ - --enable-prometheus-server \ - --tear-down-prometheus-server=false \ - --kubeconfig=$HOME/.kube/config \ - 2>&1 | tee cl2-setup.txt - - - name: Create Instance Group for workload deployments - uses: cilium/scale-tests-action/create-instance-group@4689ca99d3e860339e439006ff7a26d8f6a86e09 # main - timeout-minutes: 30 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - node_size: e2-medium - node_count: 100 - ig_name: workloads - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Wait for cluster to be ready - uses: cilium/scale-tests-action/validate-cluster@4689ca99d3e860339e439006ff7a26d8f6a86e09 # main - timeout-minutes: 20 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - interval: 10s - - - name: Setup firewall rules - uses: cilium/scale-tests-action/setup-firewall@4689ca99d3e860339e439006ff7a26d8f6a86e09 # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - create_native_routing_firewall: 'false' - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - - - name: Run CL2 - id: run-cl2 - working-directory: ./perf-tests/clusterloader2 - shell: bash - timeout-minutes: 40 - env: - CL2_ENABLE_PVS: "false" - CL2_ENABLE_NETWORKPOLICIES: "true" - CL2_ALLOWED_SLOW_API_CALLS: 1 - CL2_SCHEDULER_THROUGHPUT_THRESHOLD: 0 - CL2_PROMETHEUS_PVC_ENABLED: "false" - CL2_PROMETHEUS_SCRAPE_CILIUM_OPERATOR: "true" - CL2_PROMETHEUS_SCRAPE_CILIUM_AGENT: "true" - CL2_PROMETHEUS_MEMORY_SCALE_FACTOR: 2.0 - run: | - ./clusterloader \ - -v=2 \ - --testconfig=./testing/load/config.yaml \ - --provider=gce \ - --enable-prometheus-server \ - --tear-down-prometheus-server=false \ - --nodes=100 \ - --report-dir=./report \ - --experimental-prometheus-snapshot-to-report-dir=true \ - --kubeconfig=$HOME/.kube/config \ - --testoverrides=./testing/overrides/load_throughput.yaml \ - --testoverrides=./testing/experiments/use_simple_latency_query.yaml \ - --testoverrides=./testing/prometheus/not-scrape-kube-proxy.yaml \ - --testoverrides=./modules.yaml \ - 2>&1 | tee cl2-output.txt - - - name: Get sysdump - if: ${{ always() && steps.run-cl2.outcome != 'skipped' && steps.run-cl2.outcome != 'cancelled' }} - run: | - cilium status - cilium sysdump --output-filename cilium-sysdump-final - sudo chmod +r cilium-sysdump-final.zip - - - name: Cleanup cluster - if: ${{ always() && steps.deploy-cluster.outcome != 'skipped' }} - uses: cilium/scale-tests-action/cleanup-cluster@4689ca99d3e860339e439006ff7a26d8f6a86e09 # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Export results and sysdump to GS bucket - if: ${{ always() && steps.run-cl2.outcome != 'skipped' && steps.run-cl2.outcome != 'cancelled' }} - uses: cilium/scale-tests-action/export-results@4689ca99d3e860339e439006ff7a26d8f6a86e09 # main - with: - test_name: ${{ env.test_name }} - results_bucket: ${{ env.GCP_PERF_RESULTS_BUCKET }} - artifacts: ./perf-tests/clusterloader2/report/* - other_files: cilium-sysdump-final.zip ./perf-tests/clusterloader2/cl2-output.txt - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: install-and-scaletest - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.install-and-scaletest.result }} diff --git a/.github/workflows/scale-test-clustermesh.yaml b/.github/workflows/scale-test-clustermesh.yaml deleted file mode 100644 index 863f8fde1b90c..0000000000000 --- a/.github/workflows/scale-test-clustermesh.yaml +++ /dev/null @@ -1,411 +0,0 @@ -name: Cluster Mesh Scale Test (scale-clustermesh) - -on: - schedule: - - cron: '39 12 * * 1-5' - - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - -# For testing uncomment following lines: -# push: -# branches: -# - your_branch_name - -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=golang-version depName=go - go_version: 1.23.1 - # renovate: datasource=docker depName=google/cloud-sdk - gcloud_version: 492.0.0 - # renovate: datasource=git-refs depName=https://github.com/cilium/scaffolding branch=main - cmapisrv_mock_ref: 1a8270b60cc9024036c1eb26a720ff9ddb254b81 - - test_name: scale-clustermesh - cluster_name: ${{ github.run_id }}-${{ github.run_attempt }} - mock_clusters: 250 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-latest - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - install-and-test: - runs-on: ubuntu-latest - name: Install and Cluster Mesh Scale Test - timeout-minutes: 60 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ] ; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - # Adding k8s.local to the end makes kops happy - # has stricter DNS naming requirements. - CLUSTER_NAME="${{ env.test_name }}-${{ env.cluster_name }}.k8s.local" - - echo SHA=${SHA} >> $GITHUB_OUTPUT - echo CLUSTER_NAME=${CLUSTER_NAME} >> $GITHUB_OUTPUT - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.SHA }} &> /dev/null; do sleep 45s; done - done - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version: ${{ env.go_version }} - - - name: Install Kops - uses: cilium/scale-tests-action/install-kops@746605acaf51e628ba5b8941d547c7cf32655358 # main - - - name: Setup gcloud credentials - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 - with: - workload_identity_provider: ${{ secrets.GCP_PERF_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PERF_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Clone ClusterLoader2 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - repository: kubernetes/perf-tests - # Avoid using renovate to update this dependency because: (1) - # perf-tests does not tag or release, so renovate will pull - # all updates to the default branch and (2) continually - # updating CL2 may impact the stability of the scale test - # results. - ref: 6eb52ac89d5de15a0ad13cfeb2b2026e57ce4f64 - persist-credentials: false - sparse-checkout: clusterloader2 - path: perf-tests - - - name: Clone the Cluster Mesh API Server Mock - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - repository: cilium/scaffolding - ref: ${{ env.cmapisrv_mock_ref }} - persist-credentials: false - sparse-checkout: cmapisrv-mock - path: scaffolding - - - name: Deploy cluster - id: deploy-cluster - uses: cilium/scale-tests-action/create-cluster@746605acaf51e628ba5b8941d547c7cf32655358 # main - timeout-minutes: 30 - with: - cluster_name: ${{ steps.vars.outputs.CLUSTER_NAME }} - control_plane_size: n2-standard-8 - control_plane_count: 1 - node_size: n2-standard-8 - node_count: 1 - node_cidr: 100.0.0.0/16 - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - kube_proxy_enabled: false - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ inputs.SHA || github.sha }} - - - name: Display version info of installed tools - run: | - echo "--- go ---" - go version - echo "--- cilium-cli ---" - cilium version --client - echo "--- kops ---" - ./kops version - echo "--- gcloud ---" - gcloud version - - - name: Setup firewall rules - uses: cilium/scale-tests-action/setup-firewall@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - cluster_name: ${{ steps.vars.outputs.CLUSTER_NAME }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.SHA }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Install Cilium - id: install-cilium - run: | - # * Increase the node BPF map size to account for the total number of nodes. - # * Disable health checking, as mocked nodes are unreachable. - cilium install \ - --chart-directory=untrusted/install/kubernetes/cilium \ - --set image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.SHA }} \ - --set operator.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator-generic-ci:${{ steps.vars.outputs.SHA }} \ - --set clustermesh.apiserver.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci:${{ steps.vars.outputs.SHA }} \ - --set ipam.mode=kubernetes \ - --set kubeProxyReplacement=true \ - --set k8sServiceHost=api.internal.${{ steps.vars.outputs.CLUSTER_NAME }} \ - --set k8sServicePort=443 \ - --set pprof.enabled=true \ - --set prometheus.enabled=true \ - --set cluster.name=${{ env.test_name }}-${{ env.cluster_name }} \ - --set cluster.id=255 \ - --set operator.replicas=1 \ - --set operator.nodeSelector.node-role\\.kubernetes\\.io/control-plane= \ - --set bpf.nodeMapMax=65536 \ - --set healthChecking=false \ - --set endpointHealthChecking.enabled=false - - # This step must be run after installing Cilium, as it requires - # system pods (e.g., coredns) to be running. - - name: Wait for cluster to be ready - uses: cilium/scale-tests-action/validate-cluster@746605acaf51e628ba5b8941d547c7cf32655358 # main - timeout-minutes: 20 - with: - cluster_name: ${{ steps.vars.outputs.CLUSTER_NAME }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - - - name: Setup CL2 - run: | - # CL2 needs ssh access to control plane nodes - gcloud compute config-ssh - - # Copy the custom configs to the folder where CL2 expects them. - cp -r .github/actions/cl2-modules ./perf-tests/clusterloader2/testing/custom - - - name: Run CL2 to setup prometheus - shell: bash - working-directory: ./perf-tests/clusterloader2 - env: - CL2_PROMETHEUS_PVC_ENABLED: "false" - CL2_PROMETHEUS_SCRAPE_CILIUM_OPERATOR: "true" - CL2_PROMETHEUS_SCRAPE_CILIUM_AGENT: "true" - CL2_PROMETHEUS_MEMORY_SCALE_FACTOR: 4.0 - timeout-minutes: 10 - run: | - # Don't run any tasks at this point, just setup the monitoring stack - go run ./cmd/clusterloader.go \ - -v=2 \ - --testconfig=./testing/custom/common/setup.yaml \ - --testoverrides=./testing/prometheus/not-scrape-kube-proxy.yaml \ - --provider=gce \ - --enable-exec-service=false \ - --enable-prometheus-server \ - --tear-down-prometheus-server=false \ - --kubeconfig=$HOME/.kube/config \ - 2>&1 | tee cl2-setup.txt - - - name: Deploy the Cluster Mesh API Server Mock - run: | - helm install cmapisrv-mock \ - ./scaffolding/cmapisrv-mock/deploy/cmapisrv-mock \ - --namespace kube-system \ - --set image.repository=quay.io/cilium/cmapisrv-mock \ - --set image.tag=${{ env.cmapisrv_mock_ref }} \ - --set nodeSelector.node-role\\.kubernetes\\.io/control-plane= \ - --set tolerations[0].key=node-role.kubernetes.io/control-plane \ - --set tolerations[0].operator=Exists \ - --set config.ipv6=false \ - --set config.clusters=${{ env.mock_clusters }} \ - --set config.nodes=100 \ - --set config.nodesQPS=0.1 \ - --set config.identities=100 \ - --set config.identitiesQPS=0.2 \ - --set config.endpoints=1000 \ - --set config.endpointsQPS=1 \ - --set config.services=0 \ - --set config.servicesQPS=0 \ - --set serviceMonitor=true - - kubectl -n kube-system wait --for=condition=Ready pod \ - -l app.kubernetes.io/name=cmapisrv-mock --timeout=300s - - - name: Enable KVStoreMesh and configure Cilium to connect to the Cluster Mesh API Server Mock - run: | - cat< values-clustermesh-config.yaml - clustermesh: - config: - enabled: true - clusters: - EOF - - for i in $(seq 1 ${{ env.mock_clusters }}); do - printf " - name: cluster-%03d\n" ${i} - printf " address: cmapisrv-mock.kube-system.svc\n" - printf " port: 2379\n" - done >> values-clustermesh-config.yaml - - # * We enable KVStoreMesh only at this point to leverage the bootstrap QPS - # and speed-up the overall bootstrap process. - # * Increase the KVStoreMesh QPS to match the ones of the cmapisrv-mock, - # as not a problem considering the limited number of watchers. - # * Store etcd data directly in memory, for improved performance. - cilium upgrade --reuse-values \ - --chart-directory=untrusted/install/kubernetes/cilium \ - --set clustermesh.useAPIServer=true \ - --set clustermesh.apiserver.etcd.storageMedium=Memory \ - --set clustermesh.apiserver.kvstoremesh.enabled=true \ - --set clustermesh.apiserver.kvstoremesh.extraArgs[0]=--kvstore-opt=etcd.qps=1000 \ - --set clustermesh.apiserver.nodeSelector.node-role\\.kubernetes\\.io/control-plane= \ - --set clustermesh.apiserver.tolerations[0].key=node-role.kubernetes.io/control-plane \ - --set clustermesh.apiserver.tolerations[0].operator=Exists \ - --set clustermesh.apiserver.metrics.serviceMonitor.enabled=true \ - --values values-clustermesh-config.yaml - - cilium status --wait - cilium clustermesh status --wait --wait-duration=5m - - - name: Run CL2 - id: run-cl2 - shell: bash - working-directory: ./perf-tests/clusterloader2 - env: - CL2_PROMETHEUS_PVC_ENABLED: "false" - CL2_PROMETHEUS_SCRAPE_CILIUM_OPERATOR: "true" - CL2_PROMETHEUS_SCRAPE_CILIUM_AGENT: "true" - CL2_PROMETHEUS_MEMORY_SCALE_FACTOR: 4.0 - timeout-minutes: 30 - run: | - go run ./cmd/clusterloader.go \ - -v=2 \ - --testconfig=./testing/custom/clustermesh/config.yaml \ - --testoverrides=./testing/prometheus/not-scrape-kube-proxy.yaml \ - --provider=gce \ - --nodes=1 \ - --enable-prometheus-server \ - --tear-down-prometheus-server=false \ - --report-dir=./report \ - --experimental-prometheus-snapshot-to-report-dir=true \ - --kubeconfig=$HOME/.kube/config \ - 2>&1 | tee cl2-output.txt - - - name: Get sysdump - if: ${{ always() && steps.install-cilium.outcome != 'skipped' && steps.install-cilium.outcome != 'cancelled' }} - run: | - cilium status - cilium sysdump --output-filename cilium-sysdump-final - - - name: Upload sysdump - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' && steps.install-cilium.outcome != 'cancelled' }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdump - path: cilium-sysdump-final.zip - retention-days: 1 - - - name: Cleanup cluster - if: ${{ always() && steps.deploy-cluster.outcome != 'skipped' }} - uses: cilium/scale-tests-action/cleanup-cluster@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - cluster_name: ${{ steps.vars.outputs.CLUSTER_NAME }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Export results and sysdump to GS bucket - if: ${{ always() && steps.run-cl2.outcome != 'skipped' && steps.run-cl2.outcome != 'cancelled' }} - uses: cilium/scale-tests-action/export-results@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - test_name: ${{ env.test_name }} - results_bucket: ${{ env.GCP_PERF_RESULTS_BUCKET }} - artifacts: ./perf-tests/clusterloader2/report/* - other_files: cilium-sysdump-final.zip ./perf-tests/clusterloader2/cl2-output.txt - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: install-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.install-and-test.result }} diff --git a/.github/workflows/scale-test-node-throughput-gce.yaml b/.github/workflows/scale-test-node-throughput-gce.yaml deleted file mode 100644 index daf6802102b3e..0000000000000 --- a/.github/workflows/scale-test-node-throughput-gce.yaml +++ /dev/null @@ -1,227 +0,0 @@ -name: Node Throughput Test - -on: - schedule: - - cron: '39 0 * * *' - -# For testing uncomment following lines: -# push: -# branches: -# - your_branch_name - -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=golang-version depName=go - go_version: 1.23.1 - # Adding k8s.local to the end makes kops happy- - # has stricter DNS naming requirements. - test_name: node-throughput - cluster_name: ${{ github.run_id }}-${{ github.run_attempt }} - GCP_PERF_RESULTS_BUCKET: gs://cilium-scale-results - # renovate: datasource=docker depName=google/cloud-sdk - gcloud_version: 492.0.0 - -jobs: - install-and-scaletest: - runs-on: ubuntu-latest - name: Install and Scale Test - timeout-minutes: 120 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.sha }} - - - name: Set up job variables - id: vars - run: | - SHA="${{ github.sha }}" - - # Setup Cilium install options - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=cluster.name=${{ env.cluster_name }} \ - --wait=false" - - # Adding k8s.local to the end makes kops happy - # has stricter DNS naming requirements. - CLUSTER_NAME="${{ env.test_name }}-${{ env.cluster_name }}.k8s.local" - - echo SHA=${SHA} >> $GITHUB_OUTPUT - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo CLUSTER_NAME=${CLUSTER_NAME} >> $GITHUB_OUTPUT - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.SHA }} &> /dev/null; do sleep 45s; done - done - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - go-version: ${{ env.go_version }} - - - name: Install Kops - uses: cilium/scale-tests-action/install-kops@746605acaf51e628ba5b8941d547c7cf32655358 # main - - - name: Setup gcloud credentials - uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 - with: - workload_identity_provider: ${{ secrets.GCP_PERF_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PERF_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1 - with: - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Clone ClusterLoader2 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - repository: kubernetes/perf-tests - # Avoid using renovate to update this dependency because: (1) - # perf-tests does not tag or release, so renovate will pull - # all updates to the default branch and (2) continually - # updating CL2 may impact the stability of the scale test - # results. - ref: 920c39ef245a81bd8fb39d7fecf39eb35820d9ef - persist-credentials: false - sparse-checkout: clusterloader2 - path: perf-tests - - - name: Deploy cluster - id: deploy-cluster - uses: cilium/scale-tests-action/create-cluster@746605acaf51e628ba5b8941d547c7cf32655358 # main - timeout-minutes: 30 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - control_plane_size: n2-standard-4 - control_plane_count: 1 - node_size: e2-standard-8 - node_count: 1 - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.SHA }} - - - name: Display version info of installed tools - run: | - echo "--- go ---" - go version - echo "--- cilium-cli ---" - cilium version --client - echo "--- kops ---" - ./kops version - echo "--- gcloud ---" - gcloud version - - - name: Setup firewall rules - uses: cilium/scale-tests-action/setup-firewall@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - - - name: Install Cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for cluster to be ready - uses: cilium/scale-tests-action/validate-cluster@746605acaf51e628ba5b8941d547c7cf32655358 # main - timeout-minutes: 20 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - - - name: Run CL2 - id: run-cl2 - working-directory: ./perf-tests/clusterloader2 - timeout-minutes: 30 - shell: bash - # --enable-exec-service=false to reduce number of pods so 100 pods can fit in node - # POD_STARTUP_LATENCY_THRESHOLD=60s so the test doesn't fail, currently we have ~30s pods startup latency - run: | - mkdir ./report - echo POD_STARTUP_LATENCY_THRESHOLD: 60s >> ./testoverrides.yaml - echo POD_COUNT: 98 >> ./testoverrides.yaml - - go run ./cmd/clusterloader.go \ - -v=4 \ - --testconfig=./testing/node-throughput/config.yaml \ - --testoverrides=./testoverrides.yaml \ - --enable-exec-service=false \ - --provider=gce \ - --enable-prometheus-server \ - --testoverrides=./testing/prometheus/not-scrape-kube-proxy.yaml \ - --tear-down-prometheus-server=false \ - --report-dir=./report \ - --kubeconfig=$HOME/.kube/config \ - 2>&1 | tee cl2-output.txt - - - name: Get sysdump - if: ${{ always() && steps.run-cl2.outcome != 'skipped' }} - run: | - cilium status - cilium sysdump --output-filename cilium-sysdump-final - - - name: Cleanup cluster - if: ${{ always() && steps.deploy-cluster.outcome != 'skipped' }} - uses: cilium/scale-tests-action/cleanup-cluster@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Export results and sysdump to GS bucket - if: ${{ always() && steps.run-cl2.outcome != 'skipped' }} - uses: cilium/scale-tests-action/export-results@746605acaf51e628ba5b8941d547c7cf32655358 # main - with: - test_name: ${{ env.test_name }} - results_bucket: ${{ env.GCP_PERF_RESULTS_BUCKET }} - artifacts: ./perf-tests/clusterloader2/report/* - other_files: cilium-sysdump-final.zip ./perf-tests/clusterloader2/cl2-output.txt diff --git a/.github/workflows/tests-ces-migrate.yaml b/.github/workflows/tests-ces-migrate.yaml deleted file mode 100644 index 83d92ccd47168..0000000000000 --- a/.github/workflows/tests-ces-migrate.yaml +++ /dev/null @@ -1,237 +0,0 @@ -name: CiliumEndpointSlice migration (ci-ces-migrate) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 8 hours - schedule: - - cron: '0 5/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - KIND_CONFIG: .github/kind-config.yaml - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - wait-for-images: - name: Wait for images - runs-on: ubuntu-latest - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - name: Wait for images - uses: ./.github/actions/wait-for-images - with: - SHA: ${{ inputs.SHA }} - images: cilium-ci operator-generic-ci hubble-relay-ci cilium-cli-ci - - setup-and-test: - needs: [wait-for-images] - runs-on: ubuntu-latest - name: Installation and Migration Test - timeout-minutes: 30 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.KIND_CONFIG }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Set up install variables - id: cilium-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: 'install/kubernetes/cilium' - ipv6: false - egress-gateway: false # Currently incompatible with CES - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.cilium-config.outputs.config }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl get pods --all-namespaces -o wide - mkdir -p cilium-junits - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status - - - name: Setup conn-disrupt-test - uses: ./.github/actions/conn-disrupt-test-setup - - - name: Enable CiliumEndpointSlice - shell: bash - run: | - kubectl patch -n kube-system configmap cilium-config --type merge --patch '{"data":{"enable-cilium-endpoint-slice":"true"}}' - - kubectl rollout restart -n kube-system deployment cilium-operator - for i in $(seq 1 6); - do - if [[ $(kubectl get crd ciliumendpointslices.cilium.io) != "" ]]; then - break - fi - sleep 10 - done - - kubectl wait --for condition=established --timeout=2m crd/ciliumendpointslices.cilium.io - - kubectl rollout restart -n kube-system ds cilium - - cilium status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status - - - name: Run tests after migration - uses: ./.github/actions/conn-disrupt-test-check - with: - job-name: ces-enable - full-test: 'true' - - - name: Fetch artifacts - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - # The following is needed to prevent hubble from receiving an empty - # file (EOF) on stdin and displaying no flows. - shell: 'script -q -e -c "bash --noprofile --norc -eo pipefail {0}"' - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - mkdir -p cilium-sysdumps - - cilium sysdump --output-filename cilium-sysdumps-out - - - name: Upload cilium-sysdumps - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - if: ${{ failure() }} - with: - name: cilium-sysdumps-out.zip - path: cilium-sysdumps-out.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} \ No newline at end of file diff --git a/.github/workflows/tests-cifuzz.yaml b/.github/workflows/tests-cifuzz.yaml deleted file mode 100644 index ba8ec96bf89b6..0000000000000 --- a/.github/workflows/tests-cifuzz.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: CIFuzz -on: - pull_request: - paths-ignore: - - 'Documentation/**' -permissions: read-all -jobs: - Fuzzing: - name: Build and Run Fuzzers - runs-on: ubuntu-latest - steps: - - name: Build Fuzzers - id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@723bdbc7a8ee1e95af24284583b25d41efc0bd41 - with: - oss-fuzz-project-name: 'cilium' - dry-run: false - language: go - - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@723bdbc7a8ee1e95af24284583b25d41efc0bd41 - with: - oss-fuzz-project-name: 'cilium' - fuzz-seconds: 600 - dry-run: false - language: go - - name: Upload Crash - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - if: failure() && steps.build.outcome == 'success' - with: - name: artifacts - path: ./out/artifacts diff --git a/.github/workflows/tests-clustermesh-upgrade.yaml b/.github/workflows/tests-clustermesh-upgrade.yaml deleted file mode 100644 index a2bdfa53cd052..0000000000000 --- a/.github/workflows/tests-clustermesh-upgrade.yaml +++ /dev/null @@ -1,780 +0,0 @@ -name: Cilium Cluster Mesh upgrade (ci-clustermesh) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - - clusterName1: cluster1 - clusterName2: cluster2 - contextName1: kind-cluster1 - contextName2: kind-cluster2 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - upgrade-and-downgrade: - name: "Upgrade and Downgrade Test" - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - timeout-minutes: 60 - env: - job_name: "Installation and Connectivity Test" - - strategy: - fail-fast: false - matrix: - include: - - name: '1' - encryption: 'disabled' - kube-proxy: 'iptables' - external-kvstore: false - max-connected-clusters: 255 - cm-auth-mode: 'legacy' - - - name: '2' - encryption: 'disabled' - kube-proxy: 'none' - external-kvstore: false - max-connected-clusters: 511 - cm-auth-mode: 'migration' - - # Currently, ipsec requires to synchronously regenerate the host - # endpoint to ensure ordering (#25735). Given that this is a blocking - # operation, we cannot wait for full clustermesh synchronization - # for an extended period of time, as that would prevent the agents from - # becoming ready (and new pods scheduled). This means that we will - # experience cross-cluster connection drops during upgrades/downgrades, - # given that the timeout is too low to account for the initialization - # of a new clustermesh-apiserver replica (while it is enough to prevent - # issues in case of agent restarts, if all remote clusters are ready, - # as well as when connecting to an external kvstore as in this case). - - name: '3' - encryption: 'ipsec' - kube-proxy: 'iptables' - external-kvstore: true - max-connected-clusters: 255 - - - name: '4' - encryption: 'wireguard' - kube-proxy: 'iptables' - external-kvstore: false - max-connected-clusters: 511 - cm-auth-mode: 'cluster' - - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up newest settings - id: newest-vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/cilium-newest/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh stable) - echo "downgrade_version=${CILIUM_DOWNGRADE_VERSION}" >> $GITHUB_OUTPUT - - # * Monitor aggregation is set to medium to avoid the performance penalty - # in the testing environment due to the relatively high traffic load. - # * We explicitly configure the IPAM mode to prevent it from being - # reset to the default value on upgrade/downgrade due to --reset-values. - # * We explicitly configure the sync timeout to a higher value to - # give enough time to the clustermesh-apiserver to restart after - # the upgrade/downgrade before that agents regenerate the endpoints. - # * We configure the maximum number of unavailable agents to 1 to slow - # down the rollout process and highlight possible connection disruption - # occurring in the meanwhile. - CILIUM_INSTALL_DEFAULTS=" \ - --disable-check=minimum-version \ - --set=debug.enabled=true \ - --set=bpf.monitorAggregation=medium \ - --set=hubble.enabled=true \ - --set=routingMode=tunnel \ - --set=tunnelProtocol=vxlan \ - --set=ipv4.enabled=true \ - --set=ipv6.enabled=true \ - --set=kubeProxyReplacement=${{ matrix.kube-proxy == 'none' }} \ - --set=bpf.masquerade=${{ matrix.kube-proxy == 'none' }} \ - --set=ipam.mode=kubernetes \ - --set=operator.replicas=1 \ - --set=updateStrategy.rollingUpdate.maxUnavailable=1 \ - --set=clustermesh.useAPIServer=${{ !matrix.external-kvstore }} \ - --set=clustermesh.maxConnectedClusters=${{ matrix.max-connected-clusters }} \ - --set=clustermesh.config.enabled=true \ - --set=extraConfig.clustermesh-sync-timeout=10m \ - --set=clustermesh.apiserver.readinessProbe.periodSeconds=1 \ - --set=clustermesh.apiserver.kvstoremesh.readinessProbe.periodSeconds=1 \ - --set=clustermesh.apiserver.updateStrategy.rollingUpdate.maxSurge=1 `# Use surge update strategy to enable clients to failover` \ - --set=clustermesh.apiserver.updateStrategy.rollingUpdate.maxUnavailable=0 \ - --set=clustermesh.apiserver.tls.authMode=${{ matrix.cm-auth-mode }} \ - " - - # Run only a limited subset of tests to reduce the amount of time - # required. The full suite is run in conformance-clustermesh. - CONNECTIVITY_TEST_DEFAULTS=" \ - --hubble=false \ - --flow-validation=disabled \ - --test='no-interrupted-connections' \ - --test='no-unexpected-packet-drops' \ - --test='no-policies/' \ - --test='no-policies-extra/' \ - --test='allow-all-except-world/' \ - --test='client-ingress/' \ - --test='client-egress/' \ - --test='cluster-entity-multi-cluster/' \ - --test='!/pod-to-world' \ - --test='!/pod-to-cidr' \ - --collect-sysdump-on-failure" - - CILIUM_INSTALL_ENCRYPTION="" - if [ "${{ matrix.encryption }}" != "disabled" ]; then - CILIUM_INSTALL_ENCRYPTION=" \ - --set=encryption.enabled=true \ - --set=encryption.type=${{ matrix.encryption }}" - fi - - echo "cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} ${CILIUM_INSTALL_ENCRYPTION}" >> $GITHUB_OUTPUT - echo "connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS}" >> $GITHUB_OUTPUT - - - name: Generate Kind configuration files - run: | - PODCIDR=10.242.0.0/16,fd00:10:242::/48 \ - SVCCIDR=10.243.0.0/16,fd00:10:243::/112 \ - IPFAMILY=dual \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster1.yaml - - PODCIDR=10.244.0.0/16,fd00:10:244::/48 \ - SVCCIDR=10.245.0.0/16,fd00:10:245::/112 \ - IPFAMILY=dual \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster2.yaml - - - name: Create Kind cluster 1 - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - cluster_name: ${{ env.clusterName1 }} - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ./.github/kind-config-cluster1.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Create Kind cluster 2 - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - cluster_name: ${{ env.clusterName2 }} - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ./.github/kind-config-cluster2.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ inputs.SHA || github.sha }} - - # Make sure that coredns uses IPv4-only upstream DNS servers also in case of clusters - # with IP family dual, since IPv6 ones are not reachable and cause spurious failures. - # Additionally, this is also required to workaround - # https://github.com/cilium/cilium/issues/23283#issuecomment-1597282247. - - name: Configure the coredns nameservers - run: | - COREDNS_PATCH=" - spec: - template: - spec: - dnsPolicy: None - dnsConfig: - nameservers: - - 8.8.4.4 - - 8.8.8.8 - " - - kubectl --context ${{ env.contextName1 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - kubectl --context ${{ env.contextName2 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - - - name: Create the IPSec secret in both clusters - if: matrix.encryption == 'ipsec' - run: | - SECRET="3 rfc4106(gcm(aes)) $(openssl rand -hex 20) 128" - kubectl --context ${{ env.contextName1 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - kubectl --context ${{ env.contextName2 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - - - name: Start kvstore clusters - id: kvstore - if: matrix.external-kvstore - uses: ./.github/actions/kvstore - with: - clusters: 2 - - - name: Create the secret containing the kvstore credentials - if: matrix.external-kvstore - run: | - kubectl --context ${{ env.contextName1 }} create -n kube-system -f ${{ steps.kvstore.outputs.cilium_etcd_secrets_path }} - kubectl --context ${{ env.contextName2 }} create -n kube-system -f ${{ steps.kvstore.outputs.cilium_etcd_secrets_path }} - - - name: Set clustermesh connection parameters - id: clustermesh-vars - run: | - # Let's retrieve in advance the parameters to mesh the two clusters, so - # that we don't need to do that through the CLI in a second step, as it - # would be reset during upgrade (as we are resetting the values). - - # Explicitly configure the NodePorts to make sure that they are different - # in each cluster, to workaround #24692 - PORT1=32379 - PORT2=32380 - - CILIUM_INSTALL_CLUSTER1=" \ - --set cluster.name=${{ env.clusterName1 }} \ - --set cluster.id=1 \ - --set clustermesh.apiserver.service.nodePort=$PORT1 \ - " - - CILIUM_INSTALL_CLUSTER2=" \ - --set cluster.name=${{ env.clusterName2 }} \ - --set cluster.id=${{ matrix.max-connected-clusters }} \ - --set clustermesh.apiserver.service.nodePort=$PORT2 \ - " - - CILIUM_INSTALL_COMMON=" \ - --set clustermesh.config.clusters[0].name=${{ env.clusterName1 }} \ - --set clustermesh.config.clusters[1].name=${{ env.clusterName2 }} \ - " - - if [ "${{ matrix.external-kvstore }}" == "true" ]; then - CILIUM_INSTALL_COMMON="$CILIUM_INSTALL_COMMON \ - ${{ steps.kvstore.outputs.cilium_install_clustermesh }}" - else - IP1=$(kubectl --context ${{ env.contextName1 }} get nodes \ - ${{ env.clusterName1 }}-worker -o wide --no-headers | awk '{ print $6 }') - IP2=$(kubectl --context ${{ env.contextName2 }} get nodes \ - ${{ env.clusterName2 }}-worker -o wide --no-headers | awk '{ print $6 }') - - CILIUM_INSTALL_COMMON="$CILIUM_INSTALL_COMMON \ - --set clustermesh.config.clusters[0].ips={$IP1} \ - --set clustermesh.config.clusters[0].port=$PORT1 \ - --set clustermesh.config.clusters[1].ips={$IP2} \ - --set clustermesh.config.clusters[1].port=$PORT2 \ - " - fi - - echo cilium_install_cluster1="$CILIUM_INSTALL_CLUSTER1 $CILIUM_INSTALL_COMMON" >> $GITHUB_OUTPUT - echo cilium_install_cluster2="$CILIUM_INSTALL_CLUSTER2 $CILIUM_INSTALL_COMMON" >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.newest-vars.outputs.sha }} - persist-credentials: false - path: untrusted/cilium-newest - sparse-checkout: | - install/kubernetes/cilium - - - name: Checkout ${{ steps.vars.outputs.downgrade_version }} branch - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.downgrade_version }} - persist-credentials: false - path: untrusted/cilium-downgrade - sparse-checkout: | - install/kubernetes/cilium - - - name: Set up downgrade settings - id: downgrade-vars - run: | - SHA="$(cd untrusted/cilium-downgrade && git rev-parse HEAD)" - CILIUM_IMAGE_SETTINGS=" \ - --chart-directory=./untrusted/cilium-downgrade/install/kubernetes/cilium \ - --set=image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${SHA} \ - --set=operator.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator-generic-ci:${SHA} \ - --set=clustermesh.apiserver.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci:${SHA} \ - --set=clustermesh.apiserver.kvstoremesh.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/kvstoremesh-ci:${SHA} \ - " - echo "sha=${SHA}" >> $GITHUB_OUTPUT - echo "cilium_image_settings=${CILIUM_IMAGE_SETTINGS}" >> $GITHUB_OUTPUT - - - name: Wait for images to be available (newest) - timeout-minutes: 10 - shell: bash - run: | - for image in cilium-ci operator-generic-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.newest-vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Wait for images to be available (downgrade) - timeout-minutes: 10 - shell: bash - run: | - for image in cilium-ci operator-generic-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.downgrade-vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - - name: Install Cilium in cluster1 - id: install-cilium-cluster1 - env: - KVSTORE_ID: 1 - run: | - cilium --context ${{ env.contextName1 }} install \ - ${{ steps.downgrade-vars.outputs.cilium_image_settings }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} - - - name: Copy the Cilium CA secret to cluster2, as they must match - if: ${{ !matrix.external-kvstore }} - run: | - kubectl --context ${{ env.contextName1 }} get secret -n kube-system cilium-ca -o yaml | - kubectl --context ${{ env.contextName2 }} create -f - - - - name: Install Cilium in cluster2 - env: - KVSTORE_ID: 2 - run: | - cilium --context ${{ env.contextName2 }} install \ - ${{ steps.newest-vars.outputs.cilium_install_defaults }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster2 }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName2 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test - pre-upgrade (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} - pre-upgrade (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests pre-upgrade (${{ join(matrix.*, ', ') }})" - - # Create pods which establish long lived connections. They will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} --hubble=false \ - --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --conn-disrupt-dispatch-interval 0ms - - - - name: Upgrade Cilium in cluster1 - env: - KVSTORE_ID: 1 - run: | - cilium --context ${{ env.contextName1 }} upgrade --reset-values \ - ${{ steps.newest-vars.outputs.cilium_install_defaults }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName2 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Set cilium connectivity test namespace - id: cilium-cli - run: | - NAMESPACE=$(kubectl get namespace -l "app.kubernetes.io/name=cilium-cli" -o name | sort | cut -d / -f 2 | head -1) - echo namespace="$NAMESPACE" >> $GITHUB_OUTPUT - ${{ steps.cilium-cli.outputs.namespace }} - - - name: Write the Service manifest for testing failover - if: ${{ !matrix.external-kvstore }} - run: | - cat << EOF > echo-failover.yaml - apiVersion: v1 - kind: Service - metadata: - annotations: - service.cilium.io/global: "true" - labels: - kind: echo - context: failover - name: echo-other-node-failover - namespace: ${{ steps.cilium-cli.outputs.namespace }} - spec: - ipFamilies: - - IPv4 - - IPv6 - ipFamilyPolicy: PreferDualStack - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - selector: - name: echo-other-node - sessionAffinity: None - type: ClusterIP - EOF - - - name: Restart clustermesh-apiserver and ensure client can connect to new Service - if: ${{ !matrix.external-kvstore }} - run: | - echo "Restarting clustermesh-apiserver deployments" - kubectl --context ${{ env.contextName2 }} -n kube-system rollout restart deployment -l k8s-app=clustermesh-apiserver - kubectl --context ${{ env.contextName2 }} -n kube-system rollout status deployment -l k8s-app=clustermesh-apiserver - - echo "Deploying a global Service to test failover" - kubectl --context ${{ env.contextName1 }} apply -f echo-failover.yaml - kubectl --context ${{ env.contextName2 }} apply -f echo-failover.yaml - - echo "Testing client connection to global Service" - kubectl --context ${{ env.contextName1 }} -n ${{ steps.cilium-cli.outputs.namespace }} exec deploy/client -i -- curl -s -v --connect-timeout 2 --max-time 5 --retry-max-time 60 --retry-all-errors --retry 10 --output /dev/null --fail echo-other-node-failover - - # Clean up the service so that it can be re-deployed in subsequent steps - kubectl --context ${{ env.contextName1 }} delete -f echo-failover.yaml - kubectl --context ${{ env.contextName2 }} delete -f echo-failover.yaml - - - name: Enable kvstoremesh on cluster1 - if: ${{ !matrix.external-kvstore }} - env: - KVSTORE_ID: 1 - run: | - cilium --context ${{ env.contextName1 }} upgrade --reset-values \ - ${{ steps.newest-vars.outputs.cilium_install_defaults }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} \ - --set clustermesh.apiserver.kvstoremesh.enabled=true - - - name: Wait for cluster mesh status to be ready - if: ${{ !matrix.external-kvstore }} - run: | - cilium --context ${{ env.contextName1 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName2 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Restart clustermesh-apiserver and ensure client can connect to new Service - if: ${{ !matrix.external-kvstore }} - run: | - echo "Restarting clustermesh-apiserver deployments" - kubectl --context ${{ env.contextName2 }} -n kube-system rollout restart deployment -l k8s-app=clustermesh-apiserver - kubectl --context ${{ env.contextName2 }} -n kube-system rollout status deployment -l k8s-app=clustermesh-apiserver - - echo "Deploying a global Service to test failover" - kubectl --context ${{ env.contextName1 }} apply -f echo-failover.yaml - kubectl --context ${{ env.contextName2 }} apply -f echo-failover.yaml - - echo "Testing client connection to global Service" - kubectl --context ${{ env.contextName1 }} -n ${{ steps.cilium-cli.outputs.namespace }} exec deploy/client -i -- curl -s -v --connect-timeout 2 --max-time 5 --retry-max-time 60 --retry-all-errors --retry 10 --output /dev/null --fail echo-other-node-failover - - # Clean up the service so that it can be re-deployed in subsequent steps - kubectl --context ${{ env.contextName1 }} delete -f echo-failover.yaml - kubectl --context ${{ env.contextName2 }} delete -f echo-failover.yaml - - - name: Gather additional troubleshooting information - run: | - kubectl --context ${{ env.contextName1 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName2 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName1 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --previous --ignore-errors --timestamps - - - name: Run connectivity test - post-upgrade (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --include-conn-disrupt-test \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --junit-file "cilium-junits/${{ env.job_name }} - post upgrade (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests post-upgrade (${{ join(matrix.*, ', ') }})" - - # Create pods which establish long lived connections. They will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} --hubble=false \ - --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --conn-disrupt-dispatch-interval 0ms - - - # Perform an additional "stress" test, scaling the clustermesh-apiservers in both clusters - # to zero replicas, and restarting all agents. Existing connections should not be disrupted. - # One exception to this is represented by Cilium being in charge of handling NodePort - # traffic, as the simultaneous restart of the clustermesh-apiserver pods in both clusters - # after rolling out all agents can lead to a circular dependency (#30156). - - name: Scale the clustermesh-apiserver replicas to 0 - if: ${{ !matrix.external-kvstore }} - run: | - kubectl --context ${{ env.contextName1 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 0 - if [ ${{ matrix.kube-proxy }} != "none" ]; then - kubectl --context ${{ env.contextName2 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 0 - fi - - - name: Rollout Cilium agents in both clusters - run: | - kubectl --context ${{ env.contextName1 }} rollout restart -n kube-system ds/cilium - kubectl --context ${{ env.contextName2 }} rollout restart -n kube-system ds/cilium - - # Wait until all agents successfully restarted before scaling the replicas again - kubectl --context ${{ env.contextName1 }} rollout status -n kube-system ds/cilium --timeout=10m - kubectl --context ${{ env.contextName2 }} rollout status -n kube-system ds/cilium --timeout=10m - - - name: Scale the clustermesh-apiserver replicas back to 1 - if: ${{ !matrix.external-kvstore }} - run: | - kubectl --context ${{ env.contextName1 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 1 - kubectl --context ${{ env.contextName2 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 1 - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName2 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Gather additional troubleshooting information - run: | - kubectl --context ${{ env.contextName1 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName2 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName1 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --previous --ignore-errors --timestamps - - - name: Run connectivity test - stress-test (${{ join(matrix.*, ', ') }}) - run: | - # Only check that no long living connection was disrupted - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - --hubble=false \ - --flow-validation=disabled \ - --test='no-interrupted-connections' \ - --test='no-unexpected-packet-drops' \ - --include-conn-disrupt-test \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --junit-file "cilium-junits/${{ env.job_name }} - stress test (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests stess-test (${{ join(matrix.*, ', ') }})" - - # Create pods which establish long lived connections. They will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} --hubble=false \ - --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --conn-disrupt-dispatch-interval 0ms - - - - name: Downgrade Cilium in cluster1 and disable kvstoremesh - env: - KVSTORE_ID: 1 - run: | - cilium --context ${{ env.contextName1 }} upgrade --reset-values \ - ${{ steps.downgrade-vars.outputs.cilium_image_settings }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName2 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Gather additional troubleshooting information - run: | - kubectl --context ${{ env.contextName1 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName2 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName1 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --previous --ignore-errors --timestamps - - - name: Run connectivity test - post-downgrade (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --include-conn-disrupt-test \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --junit-file "cilium-junits/${{ env.job_name }} - post downgrade (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests post-downgrade (${{ join(matrix.*, ', ') }})" - - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium-cluster1.outcome != 'skipped' }} - run: | - cilium --context ${{ env.contextName1 }} status - cilium --context ${{ env.contextName1 }} clustermesh status - cilium --context ${{ env.contextName2 }} status - cilium --context ${{ env.contextName2 }} clustermesh status - - kubectl config use-context ${{ env.contextName1 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context1-final-${{ join(matrix.*, '-') }} - - kubectl config use-context ${{ env.contextName2 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context2-final-${{ join(matrix.*, '-') }} - - if [ "${{ matrix.external-kvstore }}" == "true" ]; then - for i in {1..2}; do - echo - echo "# Retrieving logs from kvstore$i docker container" - docker logs kvstore$i - done - fi - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.name }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.name }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: upgrade-and-downgrade - steps: - - name: Merge Sysdumps - if: ${{ needs.upgrade-and-downgrade.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: upgrade-and-downgrade - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.upgrade-and-downgrade.result }} diff --git a/.github/workflows/tests-datapath-verifier.yaml b/.github/workflows/tests-datapath-verifier.yaml deleted file mode 100644 index 1e795217860da..0000000000000 --- a/.github/workflows/tests-datapath-verifier.yaml +++ /dev/null @@ -1,191 +0,0 @@ -name: Datapath BPF Complexity (ci-verifier) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/main-**' - # Run every 8 hours - schedule: - - cron: '0 5/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=golang-version depName=go - go-version: 1.23.1 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - name: Setup & Test - strategy: - fail-fast: false - matrix: - include: - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '5.4-20240710.064909' - ci-kernel: '54' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: 'rhel8-20240710.064909' - ci-kernel: '54' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '5.10-20240710.064909' - ci-kernel: '510' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '5.15-20240710.064909' - ci-kernel: '510' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '6.1-20240710.064909' - ci-kernel: '61' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '6.6-20240710.064909' - ci-kernel: '61' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: 'bpf-next-20240711.013133' - ci-kernel: 'netnext' - timeout-minutes: 60 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.SHA || github.sha }} - persist-credentials: false - - - name: Provision LVH VMs - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - test-name: datapath-bpf-complexity - image: 'complexity-test' - image-version: ${{ matrix.kernel }} - host-mount: ./ - images-folder-parent: "/tmp" - cpu: 4 - # renovate: datasource=github-tags depName=cilium/little-vm-helper - lvh-version: "v0.0.19" - install-dependencies: 'true' - cmd: | - for i in {1..5}; do curl "https://golang.org" > /dev/null 2>&1 && break || sleep 5; echo "Waiting for systemd-resolved to be ready..."; done - - git config --global --add safe.directory /host - uname -a - - # The LVH image might ship with an arbitrary Go toolchain version, - # install the same Go toolchain version as current HEAD. - CGO_ENABLED=0 GOPROXY=direct GOSUMDB= go install golang.org/dl/go${{ env.go-version }}@latest - go${{ env.go-version }} download - - # The LVH image ships with LLVM taken from a release Cilium version. - # Replace it with the one extracted from the cilium-builder image. - /host/contrib/scripts/extract-llvm.sh /tmp/llvm - mv /tmp/llvm/usr/local/bin/{clang,llc} /bin/ - rm -r /tmp/llvm - - - name: Run verifier tests - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - # Run with cgo disabled, LVH images don't ship with gcc. - CGO_ENABLED=0 go${{ env.go-version }} test -v -parallel=1 -timeout=20m ./test/verifier -cilium-base-path /host -ci-kernel-version ${{ matrix.ci-kernel }} - - - name: Fetch artifacts - if: ${{ !success() }} - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host - mkdir datapath-verifier - find test/verifier \( -name "*.log" -o -name "*.o" \) -exec cp -v {} datapath-verifier/ \; - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: datapath-verifier_${{ matrix.kernel }} - path: datapath-verifier - retention-days: 5 - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-e2e-upgrade.yaml b/.github/workflows/tests-e2e-upgrade.yaml deleted file mode 100644 index 0d8e4357198be..0000000000000 --- a/.github/workflows/tests-e2e-upgrade.yaml +++ /dev/null @@ -1,679 +0,0 @@ -name: Cilium E2E Upgrade (ci-e2e-upgrade) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/main-**' - # Run every 8 hours - schedule: - - cron: '0 5/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - wait-for-images: - name: Wait for images - runs-on: ubuntu-latest - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - name: Wait for images - uses: ./.github/actions/wait-for-images - with: - SHA: ${{ inputs.SHA }} - - setup-and-test: - needs: [wait-for-images] - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - name: 'Setup & Test' - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 22 - matrix: - include: - - name: '1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'rhel8-20240404.144247' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - host-fw: 'true' - - - name: '2' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - host-fw: 'true' - - - name: '3' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - endpoint-routes: 'true' - - - name: '4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '5' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'dsr' - endpoint-routes: 'true' - egress-gateway: 'true' - host-fw: 'false' # enabling breaks downgrading (missed tail calls) - - - name: '6' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - tunnel: 'vxlan' - lb-mode: 'snat' - egress-gateway: 'true' - host-fw: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - bgp-control-plane: 'true' - - - name: '7' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20240711.013133' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'snat' - egress-gateway: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - local-redirect-policy: 'true' - node-local-dns: 'true' - - - name: '8' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20240711.013133' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'geneve' - endpoint-routes: 'true' - misc: 'socketLB.enabled=false,nodePort.enabled=true,bpf.masquerade=true' - - - name: '9' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'false' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '10' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'false' - - - name: '11' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - - name: '12' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20240711.013133' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - - name: '13' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'rhel8-20240404.144247' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - misc: 'policyCIDRMatchMode=nodes' - - - name: '14' - # Switch to 5.15 until https://github.com/cilium/cilium/issues/27642 - # has been resolved. https://github.com/cilium/cilium/pull/30837#issuecomment-1960897445 - # explains why 5.4 might cause north-south-loadbalancing tests to - # fail. - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - egress-gateway: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - - - name: '15' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20240711.013133' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - ingress-controller: 'true' - # Disable bpf.tproxy=true until https://github.com/cilium/cilium/issues/31918 - # has been resolved. - misc: 'bpfClockProbe=false,cni.uninstall=false' - ciliumendpointslice: 'true' - - - name: '16' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - encryption: 'wireguard' - encryption-node: 'false' - host-fw: 'true' - ciliumendpointslice: 'true' - ingress-controller: 'true' - - - name: '17' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-20240711.013133' - misc: 'bpf.datapathMode=netkit,bpf.masquerade=true,enableIPv4BIGTCP=true,enableIPv6BIGTCP=true' - kube-proxy: 'none' - kpr: 'true' - ipv6: 'true' - tunnel: 'disabled' - devices: '{eth0,eth1}' - secondary-network: 'true' - ingress-controller: 'true' - - - name: '18' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-20240711.013133' - misc: 'bpf.datapathMode=netkit-l2,bpf.masquerade=true,enableIPv4BIGTCP=true,enableIPv6BIGTCP=true' - kube-proxy: 'none' - kpr: 'true' - ipv6: 'true' - tunnel: 'disabled' - devices: '{eth0,eth1}' - secondary-network: 'true' - ingress-controller: 'true' - - - name: '19' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-20240711.013133' - misc: 'bpf.datapathMode=netkit,bpf.masquerade=true' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'vxlan' - devices: '{eth0,eth1}' - secondary-network: 'true' - ingress-controller: 'true' - - - name: '20' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-20240711.013133' - misc: 'bpf.datapathMode=netkit-l2,bpf.masquerade=true' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'vxlan' - devices: '{eth0,eth1}' - secondary-network: 'true' - ingress-controller: 'true' - - - name: '21' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-20240711.013133' - misc: 'bpf.datapathMode=netkit,bpf.masquerade=true' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'geneve' - devices: '{eth0,eth1}' - secondary-network: 'true' - ingress-controller: 'true' - - - name: '22' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-20240711.013133' - misc: 'bpf.datapathMode=netkit-l2,bpf.masquerade=true' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'geneve' - devices: '{eth0,eth1}' - secondary-network: 'true' - ingress-controller: 'true' - - # Example of a feature that is being introduced, and we want to test - # it without performing an upgrade, we use skip-upgrade: 'true' - # - name: '23' - # # renovate: datasource=docker depName=quay.io/lvh-images/kind - # kernel: 'bpf-20240711.013133' - # misc: 'bpf.datapathMode=netkit-l2,bpf.masquerade=true' - # skip-upgrade: 'true' - - timeout-minutes: 90 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Cleanup Disk space in runner - if: runner.name == 'ubuntu-latest' - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh stable) - echo downgrade_version=${CILIUM_DOWNGRADE_VERSION} >> $GITHUB_OUTPUT - - - name: Derive stable Cilium installation config - if: ${{ matrix.skip-upgrade != 'true' }} - id: cilium-stable-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.downgrade_version }} - chart-dir: './untrusted/cilium-downgrade/install/kubernetes/cilium/' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - ingress-controller: ${{ matrix.ingress-controller }} - misc: ${{ matrix.misc || 'bpfClockProbe=false,cni.uninstall=false' }} - ciliumendpointslice: ${{ matrix.ciliumendpointslice }} - local-redirect-policy: ${{ matrix.local-redirect-policy }} - bgp-control-plane: ${{ matrix.bgp-control-plane }} - - - name: Derive newest Cilium installation config - id: cilium-newest-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './untrusted/cilium-newest/install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - ingress-controller: ${{ matrix.ingress-controller }} - misc: ${{ matrix.misc || 'bpfClockProbe=false,cni.uninstall=false' }} - ciliumendpointslice: ${{ matrix.ciliumendpointslice }} - local-redirect-policy: ${{ matrix.local-redirect-policy }} - bgp-control-plane: ${{ matrix.bgp-control-plane }} - - - name: Set Kind params - id: kind-params - shell: bash - run: | - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - echo params="--xdp --secondary-network \"\" 3 \"\" \"\" ${{ matrix.kube-proxy }} $IP_FAM" >> $GITHUB_OUTPUT - - - name: Provision K8s on LVH VM - uses: ./.github/actions/lvh-kind - with: - test-name: e2e-conformance - kernel: ${{ matrix.kernel }} - kind-params: "${{ steps.kind-params.outputs.params }}" - kind-image: ${{ env.KIND_K8S_IMAGE }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted/cilium-newest - sparse-checkout: | - install/kubernetes/cilium - examples - - - name: Checkout ${{ steps.vars.outputs.downgrade_version }} branch to get the Helm chart - if: ${{ matrix.skip-upgrade != 'true' }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.downgrade_version }} - persist-credentials: false - path: untrusted/cilium-downgrade - sparse-checkout: | - install/kubernetes/cilium - - - name: Install Cilium ${{ matrix.skip-upgrade == 'true' && 'from main' || steps.vars.outputs.downgrade_version }} - shell: bash - run: | - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - - if ${{ matrix.skip-upgrade != 'true' }}; then - cilium install ${{ steps.cilium-stable-config.outputs.config }} - else - cilium install ${{ steps.cilium-newest-config.outputs.config }} - fi - - cilium status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium status - - mkdir -p cilium-junits - - - name: Install node local DNS - if: ${{ matrix.node-local-dns == 'true' }} - shell: bash - run: | - kubedns=$(kubectl get svc kube-dns -n kube-system -o jsonpath={.spec.clusterIP}) && sed -i "s/__PILLAR__DNS__SERVER__/$kubedns/g;" untrusted/cilium-newest/examples/kubernetes-local-redirect/node-local-dns.yaml - sed -i "s/__PILLAR__UPSTREAM__SERVERS__/1.1.1.1/g;" untrusted/cilium-newest/examples/kubernetes-local-redirect/node-local-dns.yaml - kubectl apply -k untrusted/cilium-newest/examples/kubernetes-local-redirect - kubectl rollout status -n kube-system ds/node-local-dns - - - name: Start conn-disrupt-test - shell: bash - run: | - # Create pods which establish long lived connections. It will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --conn-disrupt-dispatch-interval 0ms - - - name: Upgrade Cilium - if: ${{ matrix.skip-upgrade != 'true' }} - shell: bash - run: | - cilium upgrade \ - ${{ steps.cilium-newest-config.outputs.config }} - - cilium status --wait --wait-duration=10m - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Test Cilium ${{ matrix.skip-upgrade != 'true' && 'after upgrade' }} - shell: bash - run: | - EXTRA=() - if [ "${{ matrix.secondary-network }}" = "true" ]; then - EXTRA+=("--secondary-network-iface=eth1") - fi - - # it's fine to ignore the "No egress gateway found" drop reason as this may be caused by the kind=echo pods - # sending traffic while the egressgw policy map is still being populated. - # - # The actual connectivity test will ensure that the map is in sync with the policy and that egressgw traffic - # always go through the correct gateway - EXTRA+=("--expected-drop-reasons=+No egress gateway found") - - cilium connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --include-conn-disrupt-test \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --flush-ct \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ matrix.name }}).xml" \ - --junit-property github_job_step="Run tests upgrade 2 (${{ matrix.name }})" \ - "${EXTRA[@]}" - - # --flush-ct interrupts the flows, so we need to set up again. - cilium connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --conn-disrupt-dispatch-interval 0ms - - - name: Downgrade Cilium ${{ steps.vars.outputs.downgrade_version }} - if: ${{ matrix.skip-upgrade != 'true' }} - shell: bash - run: | - cilium upgrade \ - ${{ steps.cilium-stable-config.outputs.config }} - - cilium status --wait --wait-duration=10m - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Test Cilium after downgrade to ${{ steps.vars.outputs.downgrade_version }} - if: ${{ matrix.skip-upgrade != 'true' }} - shell: bash - run: | - EXTRA=() - if [ "${{ matrix.secondary-network }}" = "true" ]; then - EXTRA+=("--secondary-network-iface=eth1") - fi - - # it's fine to ignore the "No egress gateway found" drop reason as this may be caused by the kind=echo pods - # sending traffic while the egressgw policy map is still being populated. - # - # The actual connectivity test will ensure that the map is in sync with the policy and that egressgw traffic - # always go through the correct gateway - EXTRA+=("--expected-drop-reasons=+No egress gateway found") - - cilium connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --include-conn-disrupt-test \ - --conn-disrupt-test-restarts-path "./cilium-conn-disrupt-restarts" \ - --flush-ct \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ matrix.name }}).xml" \ - --junit-property github_job_step="Run tests upgrade 2 (${{ matrix.name }})" \ - "${EXTRA[@]}" - - - name: Fetch artifacts - if: ${{ !success() }} - shell: bash - run: | - kubectl get pods --all-namespaces -o wide - cilium status - mkdir -p cilium-sysdumps - cilium sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.name }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.name }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-ipsec-upgrade.yaml b/.github/workflows/tests-ipsec-upgrade.yaml deleted file mode 100644 index bf6297a4a8847..0000000000000 --- a/.github/workflows/tests-ipsec-upgrade.yaml +++ /dev/null @@ -1,494 +0,0 @@ -name: Cilium IPsec upgrade (ci-ipsec-upgrade) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/main-**' - # Run every 8 hours - schedule: - - cron: '0 5/8 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - wait-for-images: - name: Wait for images - runs-on: ubuntu-latest - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - name: Wait for images - uses: ./.github/actions/wait-for-images - with: - SHA: ${{ inputs.SHA }} - - setup-and-test: - needs: [wait-for-images] - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - name: 'Setup & Test' - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - config: ['5.4', '5.10', '6.1', '5.15', 'bpf-next'] - mode: ['minor', 'patch'] - include: - # Define three config sets - - config: '5.4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - - - config: '5.10' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - endpoint-routes: 'true' - - - config: '5.15' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - encryption: 'ipsec' - encryption-overlay: 'true' - endpoint-routes: 'false' - - - config: '6.1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - encryption: 'ipsec' - endpoint-routes: 'false' - - - config: 'bpf-next' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20240711.013133' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - encryption: 'ipsec' - endpoint-routes: 'true' - - # Add names to matrix combinations of {config, mode} - - config: '5.4' - mode: 'minor' - name: '1' - - - config: '5.10' - mode: 'minor' - name: '2' - - - config: '6.1' - mode: 'minor' - name: '3' - - - config: 'bpf-next' - mode: 'minor' - name: '4' - - - config: '5.4' - mode: 'patch' - name: '5' - - - config: '5.10' - mode: 'patch' - name: '6' - - - config: '6.1' - mode: 'patch' - name: '7' - - - config: 'bpf-next' - mode: 'patch' - name: '8' - - - config: '5.15' - mode: 'minor' - name: '9' - - - config: '5.15' - mode: 'patch' - name: '10' - - timeout-minutes: 70 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - # We keep the credentials here, to make sure we're able to run - # "git fetch" in print-downgrade-version.sh in a few steps below. - # We'll call it again to remove the credentials before pulling the - # untrusted branch from the PR. We remain in a trusted context while - # credentials persist. - # This remains faster than downloading the full project history to - # make tags available to print-downgrade-version.sh. - persist-credentials: true - - - name: Cleanup Disk space in runner - if: runner.name == 'ubuntu-latest' - uses: ./.github/actions/disk-cleanup - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - if [ "${{ matrix.mode }}" = "minor" ]; then - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh stable) - IMAGE_TAG=${CILIUM_DOWNGRADE_VERSION} - else - # Upgrade from / downgrade to patch release. - # In some cases we expect to fail to get the version number, do not - # fail the workflow in such case. This is typically the case on - # main branch where we don't have preceeding patch releases. - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh patch || true) - # Pass an empty tag to the cilium-config action to fall back to the - # default release image, without crafting an image path with the - # "-ci" suffix - IMAGE_TAG='' - fi - echo "CILIUM_DOWNGRADE_VERSION: ${CILIUM_DOWNGRADE_VERSION}" - echo "IMAGE_TAG: ${IMAGE_TAG}" - if [ -z "${CILIUM_DOWNGRADE_VERSION}" ]; then - echo "::notice::No CILIUM_DOWNGRADE_VERSION returned; skipping remaining steps" - fi - echo downgrade_version=${CILIUM_DOWNGRADE_VERSION} >> $GITHUB_OUTPUT - echo image_tag=${IMAGE_TAG} >> $GITHUB_OUTPUT - - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Check we effectively removed Git credentials - shell: bash - run: | - # For private repositories requiring authentication, check that we - # can no longer fetch from the repository. - if ! curl -L \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - "https://api.github.com/repos/${{ github.repository }}" | \ - tee /dev/stderr | \ - jq --exit-status '.private == false'; then - echo 'Checking whether "git fetch" succeeds' - if git fetch origin HEAD; then - echo "::error::Git credentials not removed, aborting now." - false - fi - fi - - - name: Derive stable Cilium installation config - id: cilium-stable-config - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.image_tag }} - chart-dir: './untrusted/cilium-downgrade/install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - encryption-overlay: ${{ matrix.encryption-overlay }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' - - - name: Derive newest Cilium installation config - id: cilium-newest-config - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './untrusted/cilium-newest/install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - encryption-overlay: ${{ matrix.encryption-overlay }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' - - - name: Set Kind params - if: ${{ steps.vars.outputs.downgrade_version != '' }} - id: kind-params - shell: bash - run: | - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - echo params="\"\" 3 \"\" \"\" ${{ matrix.kube-proxy }} $IP_FAM" >> $GITHUB_OUTPUT - - - name: Provision K8s on LVH VM - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/lvh-kind - with: - test-name: e2e-conformance - kernel: ${{ matrix.kernel }} - kind-params: "${{ steps.kind-params.outputs.params }}" - kind-image: ${{ env.KIND_K8S_IMAGE }} - - - name: Install Cilium CLI - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.vars.outputs.sha }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted/cilium-newest - sparse-checkout: | - install/kubernetes/cilium - - - name: Checkout ${{ steps.vars.outputs.downgrade_version }} branch to get the Helm chart - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.downgrade_version }} - persist-credentials: false - path: untrusted/cilium-downgrade - sparse-checkout: | - install/kubernetes/cilium - - - name: Install Cilium ${{ steps.vars.outputs.downgrade_version }} (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - shell: bash - run: | - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - kubectl create -n kube-system secret generic cilium-ipsec-keys \ - --from-literal=keys="3+ rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - mkdir -p cilium-junits - - cilium install \ - ${{ steps.cilium-stable-config.outputs.config }} - - cilium status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status - - - - name: Setup conn-disrupt-test before upgrading (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/conn-disrupt-test-setup - - - name: Upgrade Cilium (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - shell: bash - run: | - cilium upgrade \ - ${{ steps.cilium-newest-config.outputs.config }} - - cilium status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status - - - name: Run tests after upgrading (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/conn-disrupt-test-check - with: - job-name: cilium-upgrade-${{ matrix.name }} - full-test: 'true' - - - name: Setup conn-disrupt-test before downgrading - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/conn-disrupt-test-setup - - - name: Downgrade Cilium to ${{ steps.vars.outputs.downgrade_version }} (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - shell: bash - run: | - cilium upgrade \ - ${{ steps.cilium-stable-config.outputs.config }} - - cilium status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status - - - name: Check conn-disrupt-test after downgrading - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/conn-disrupt-test-check - with: - job-name: cilium-downgrade-${{ matrix.name }} - full-test: 'true' - - - name: Fetch artifacts - if: ${{ steps.vars.outputs.downgrade_version != '' && !success() }} - shell: bash - run: | - kubectl get pods --all-namespaces -o wide - cilium status - mkdir -p cilium-sysdumps - cilium sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - - - name: Upload artifacts - if: ${{ steps.vars.outputs.downgrade_version != '' && !success() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps-${{ matrix.config }}-${{ matrix.mode }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ steps.vars.outputs.downgrade_version != '' && always() }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits-${{ matrix.config }}-${{ matrix.mode }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ steps.vars.outputs.downgrade_version != '' && always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-l4lb.yaml b/.github/workflows/tests-l4lb.yaml deleted file mode 100644 index e2d88a346bc39..0000000000000 --- a/.github/workflows/tests-l4lb.yaml +++ /dev/null @@ -1,152 +0,0 @@ -name: Cilium L4LB XDP (ci-l4lb) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - - 'renovate/main-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To read actions state with catchpoint/workflow-telemetry-action - actions: read - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - name: Setup & Test - # Ubuntu 22.04 runner uses cgroup v2-only which is needed for some - # our LB functionality - runs-on: ubuntu-22.04 - timeout-minutes: 45 - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - echo sha=${SHA} >> $GITHUB_OUTPUT - - - name: Wait for image to be available - timeout-minutes: 30 - shell: bash - run: | - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - - - name: Run LoadBalancing test - id: lb-test - run: | - cd ${{ github.workspace }}/test/l4lb && sudo ./test.sh ${{ env.QUAY_ORGANIZATION_DEV }} ${{ steps.vars.outputs.sha }} ${{ env.CILIUM_RUNTIME_EXTRA_ARGS }} - - - name: Run NAT46x64 test - run: | - cd ${{ github.workspace }}/test/nat46x64 && sudo ./test.sh ${{ env.QUAY_ORGANIZATION_DEV }} ${{ steps.vars.outputs.sha }} ${{ env.CILIUM_RUNTIME_EXTRA_ARGS }} - - - name: Fetch DinD information - if: ${{ !success() && steps.lb-test.outcome != 'skipped' }} - run: | - docker ps -a - docker logs lb-node - docker inspect lb-node - docker exec -t lb-node docker ps - - - name: Fetch Cilium Standalone LB logs - if: ${{ !success() && steps.lb-test.outcome != 'skipped' }} - run: | - docker exec -t lb-node docker logs cilium-lb - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-smoke-ipv6.yaml b/.github/workflows/tests-smoke-ipv6.yaml deleted file mode 100644 index 961535120c512..0000000000000 --- a/.github/workflows/tests-smoke-ipv6.yaml +++ /dev/null @@ -1,175 +0,0 @@ -name: Smoke Test with IPv6 - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - KIND_CONFIG: .github/kind-config-ipv6.yaml - # Skip external traffic (e.g. 1.1.1.1 and www.google.com) due to no support for IPv6 in github action - CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check-internal.yaml - TIMEOUT: 5m - LOG_TIME: 30m - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-22.04 - outputs: - tested: ${{ steps.tested-tree.outputs.src }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Check code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: tested-tree - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - src: - - '!(test|Documentation)/**' - - conformance-test-ipv6: - needs: check_changes - if: ${{ needs.check_changes.outputs.tested == 'true' }} - runs-on: ubuntu-22.04 - name: Installation and Conformance Test (ipv6) - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.event.pull_request.head.sha }} - - - name: Set image tag - id: sha - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Precheck generated connectivity manifest files - run: | - make -C examples/kubernetes/connectivity-check fmt - make -C examples/kubernetes/connectivity-check all - test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) - - - name: Enable IPv6 in docker - run: | - sudo cat /etc/docker/daemon.json || true - # Keep existing config like cgroup-parent in github action - sudo sh -c "echo '{ \"exec-opts\": [\"native.cgroupdriver=cgroupfs\"], \"cgroup-parent\": \"/actions_job\", \"ipv6\": true, \"fixed-cidr-v6\": \"2001:db8:1::/64\" }' > /etc/docker/daemon.json" - sudo cat /etc/docker/daemon.json - sudo ip -6 route add 2001:db8:1::/64 dev docker0 - sudo sysctl net.ipv6.conf.default.forwarding=1 - sudo sysctl net.ipv6.conf.all.forwarding=1 - sudo systemctl restart docker - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.KIND_CONFIG }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.sha.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Set up install variables - id: vars - run: | - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set nodeinit.enabled=true \ - --helm-set kubeProxyReplacement=true \ - --helm-set ipam.mode=kubernetes \ - --helm-set hubble.enabled=true \ - --helm-set hubble.relay.enabled=true \ - --helm-set ipv6.enabled=true \ - --helm-set ipv4.enabled=false \ - --helm-set routingMode=native \ - --helm-set autoDirectNodeRoutes=true \ - --helm-set ipv6NativeRoutingCIDR=2001:db8:1::/64 \ - --helm-set ingressController.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.sha.outputs.sha }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Run conformance test (e.g. connectivity check without external 1.1.1.1 and www.google.com) - run: | - kubectl apply -f ${{ env.CONFORMANCE_TEMPLATE }} - kubectl wait --for=condition=Available --all deployment --timeout=${{ env.TIMEOUT }} - - - name: Report cluster failure status and capture cilium-sysdump - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - # The following is needed to prevent hubble from receiving an empty - # file (EOF) on stdin and displaying no flows. - shell: 'script -q -e -c "bash --noprofile --norc -eo pipefail {0}"' - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - - - name: Upload cilium-sysdump - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - if: ${{ failure() }} - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip diff --git a/.github/workflows/tests-smoke.yaml b/.github/workflows/tests-smoke.yaml deleted file mode 100644 index c5e2f56c5e8c0..0000000000000 --- a/.github/workflows/tests-smoke.yaml +++ /dev/null @@ -1,206 +0,0 @@ -name: Smoke Test - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - merge_group: - types: [checks_requested] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -env: - cilium_cli_ci_version: - KIND_CONFIG: .github/kind-config.yaml - CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check.yaml - TIMEOUT: 2m - LOG_TIME: 30m - PROM_VERSION: 2.34.0 - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-22.04 - outputs: - tested: ${{ steps.tested-tree.outputs.src }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Check code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: tested-tree - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - src: - - '!(test|Documentation)/**' - - preflight-clusterrole: - runs-on: ubuntu-latest - name: Preflight Clusterrole Check - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Check pre-flight clusterrole - run: make check-k8s-clusterrole - - helm-charts: - runs-on: ubuntu-latest - name: Helm Charts Check - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Run helm-charts - run: | - make -C install/kubernetes - test -z "$(git status --porcelain)" || (echo "please run 'make -C install/kubernetes' and submit your changes"; exit 1) - - conformance-test: - needs: check_changes - if: ${{ needs.check_changes.outputs.tested == 'true' && github.event_name != 'merge_group' }} - runs-on: ubuntu-latest - name: Installation and Conformance Test - steps: - - name: Collect Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 - with: - comment_on_pr: false - - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.event.pull_request.head.sha }} - - - name: Set image tag - id: sha - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Precheck generated connectivity manifest files - run: | - make -C examples/kubernetes/connectivity-check fmt - make -C examples/kubernetes/connectivity-check all - test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.KIND_CONFIG }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.sha.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Set up install variables - id: vars - run: | - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set nodeinit.enabled=true \ - --helm-set kubeProxyReplacement=true \ - --helm-set ipam.mode=kubernetes \ - --helm-set hubble.relay.enabled=true \ - --helm-set prometheus.enabled=true \ - --helm-set operator.prometheus.enabled=true \ - --helm-set hubble.enabled=true \ - --helm-set=hubble.metrics.enabled=\"{dns,drop,tcp,flow,port-distribution,icmp,http}\" \ - --helm-set ingressController.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@fff38e882846c03f1720dad476e459323275ab9c # v0.16.17 - with: - skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} - image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} - image-tag: ${{ steps.sha.outputs.sha }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Run conformance test (e.g. connectivity check) - run: | - kubectl apply -f ${{ env.CONFORMANCE_TEMPLATE }} - kubectl wait --for=condition=Available --all deployment --timeout=${{ env.TIMEOUT }} - - - name: Check prometheus metrics - if: ${{ success() }} - run: | - cd $HOME - cilium_pod=$(kubectl -n kube-system get po -o name --field-selector=status.phase==Running -l 'k8s-app=cilium' -o jsonpath='{.items[0].metadata.name}' ) - kubectl -n kube-system exec $cilium_pod -- sh -c "apt update && apt install curl -y" - kubectl -n kube-system exec $cilium_pod -- curl http://localhost:9962/metrics > metrics.prom - # Install promtool binary release. `go install` doesn't work due to - # https://github.com/prometheus/prometheus/issues/8852 and related issues. - curl -sSL --remote-name-all https://github.com/prometheus/prometheus/releases/download/v${PROM_VERSION}/{prometheus-${PROM_VERSION}.linux-amd64.tar.gz,sha256sums.txt} - sha256sum --check --ignore-missing sha256sums.txt - tar xzvf prometheus-${PROM_VERSION}.linux-amd64.tar.gz prometheus-${PROM_VERSION}.linux-amd64/promtool - rm -f prometheus-${PROM_VERSION}.linux-amd64.tar.gz - sudo mv prometheus-${PROM_VERSION}.linux-amd64/promtool /usr/bin - cat metrics.prom | promtool check metrics - - - name: Report cluster failure status and capture cilium-sysdump - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - # The following is needed to prevent hubble from receiving an empty - # file (EOF) on stdin and displaying no flows. - shell: 'script -q -e -c "bash --noprofile --norc -eo pipefail {0}"' - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - - - name: Upload cilium-sysdump - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - if: ${{ failure() }} - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip diff --git a/.github/workflows/update-label-backport-pr.yaml b/.github/workflows/update-label-backport-pr.yaml deleted file mode 100644 index 59abca2c78ddd..0000000000000 --- a/.github/workflows/update-label-backport-pr.yaml +++ /dev/null @@ -1,51 +0,0 @@ ---- - # A reusable workflow designed to be called from the context of a specific - # branch whenever a backport PR is merged. The workflow scans the backport PR - # body to get the list of the backported PRs and updates their labels, replacing - # all "backport-pending/" with "backport-done/". - name: Update labels of backported PRs - on: - workflow_call: - inputs: - pr-body: - required: true - type: string - description: "The PR description containing all the references to the backported PRs." - branch: - required: true - type: string - description: "The stable branch version." - - jobs: - backport-label-updater: - name: Update labels of backported PRs - runs-on: ubuntu-latest - permissions: - pull-requests: write # Adding and removing labels - env: - body: ${{ inputs.pr-body }} - steps: - - name: Pre-process PR body - id: pre-process - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - const { body } = process.env - return body.replace(/\'/g, '') - .replace(/"/g, '') - .replace(/`/g, '') - .replace(/$/g, '') - result-encoding: string - - - name: Update labels - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - BRANCH: ${{ inputs.branch }} - run: | - VERSION=${BRANCH#v} - echo "${{steps.pre-process.outputs.result}}" | sed -En "/upstream-prs/ { n; p }" | cut -d ';' -f 1 | grep -Eo '[0-9]+' | while read -r pr; do - echo "Removing label backport-pending/${VERSION} from pr #${pr}." - gh pr edit ${pr} --repo "${GITHUB_REPOSITORY}" --remove-label backport-pending/${VERSION} - echo "Adding label backport-done/${VERSION} to pr #${pr}." - gh pr edit ${pr} --repo "${GITHUB_REPOSITORY}" --add-label backport-done/${VERSION} - done