Network performance GKE (net-perf-gke) #26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Network performance GKE (net-perf-gke) | |
# Any change in triggers needs to be reflected in the concurrency group. | |
on: | |
schedule: | |
- cron: '39 0 * * 1-5' | |
workflow_dispatch: | |
inputs: | |
PR-number: | |
description: "Pull request number." | |
required: true | |
context-ref: | |
description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." | |
required: true | |
SHA: | |
description: "SHA under test (head of the PR branch)." | |
required: true | |
extra-args: | |
description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." | |
required: false | |
default: '{}' | |
# For testing uncomment following lines: | |
# push: | |
# branches: | |
# - your_branch_name | |
# By specifying the access of one of the scopes, all of those that are not | |
# specified are set to 'none'. | |
permissions: | |
# To read actions state with catchpoint/workflow-telemetry-action | |
actions: read | |
# To be able to access the repository with actions/checkout | |
contents: read | |
# To be able to request the JWT from GitHub's OIDC provider | |
id-token: write | |
# To allow retrieving information from the PR API | |
pull-requests: read | |
# To be able to set commit status | |
statuses: write | |
concurrency: | |
# Structure: | |
# - Workflow name | |
# - Event type | |
# - A unique identifier depending on event type: | |
# - schedule: SHA | |
# - workflow_dispatch: PR number | |
# | |
# This structure ensures a unique concurrency group name is generated for each | |
# type of testing, such that re-runs will cancel the previous run. | |
group: | | |
${{ github.workflow }} | |
${{ github.event_name }} | |
${{ | |
(github.event_name == 'schedule' && github.sha) || | |
(github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) | |
}} | |
cancel-in-progress: true | |
env: | |
clusterName: ${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} | |
test_name: gke-perf | |
USE_GKE_GCLOUD_AUTH_PLUGIN: True | |
gcp_zone: us-east5-a | |
k8s_version: 1.28 | |
# renovate: datasource=docker depName=google/cloud-sdk | |
gcloud_version: 499.0.0 | |
jobs: | |
echo-inputs: | |
if: ${{ github.event_name == 'workflow_dispatch' }} | |
name: Echo Workflow Dispatch Inputs | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Echo Workflow Dispatch Inputs | |
run: | | |
echo '${{ tojson(inputs) }}' | |
commit-status-start: | |
name: Commit Status Start | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set initial commit status | |
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 | |
with: | |
sha: ${{ inputs.SHA || github.sha }} | |
installation-and-perf: | |
name: Installation and Perf Test | |
runs-on: ubuntu-latest | |
timeout-minutes: 60 | |
env: | |
job_name: "Installation and Perf Test" | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- index: 1 | |
name: "native" | |
mode: "gke" | |
encryption: "none" | |
- index: 2 | |
name: "tunnel" | |
mode: "tunnel" | |
encryption: "none" | |
- index: 3 | |
name: "native-ipsec" | |
mode: "gke" | |
encryption: "ipsec" | |
- index: 4 | |
name: "tunnel-ipsec" | |
mode: "tunnel" | |
encryption: "ipsec" | |
- index: 5 | |
name: "native-wireguard" | |
mode: "gke" | |
encryption: "wireguard" | |
- index: 6 | |
name: "tunnel-wireguard" | |
mode: "tunnel" | |
encryption: "wireguard" | |
steps: | |
- name: Collect Workflow Telemetry | |
uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 | |
with: | |
comment_on_pr: false | |
- name: Checkout context ref (trusted) | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ inputs.context-ref || github.sha }} | |
persist-credentials: false | |
- name: Set Environment Variables | |
uses: ./.github/actions/set-env-variables | |
- name: Set up job variables | |
id: vars | |
run: | | |
if [ "${{ github.event_name }}" = "workflow_dispatch" ] || [ ${{ github.event.pull_request }} ] ; then | |
SHA="${{ inputs.SHA }}" | |
OWNER="${{ inputs.PR-number }}" | |
else | |
SHA="${{ github.sha }}" | |
OWNER="${{ github.ref_name }}" | |
OWNER="${OWNER//[.\/]/-}" | |
fi | |
CILIUM_INSTALL_DEFAULTS="--chart-directory=install/kubernetes/cilium \ | |
--helm-set=cluster.name=${{ env.clusterName }}-${{ matrix.index }} \ | |
--helm-set=agentNotReadyTaintKey=ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready \ | |
--wait=false" | |
# only add SHA to the image tags if it was set | |
if [ -n "${SHA}" ]; then | |
echo sha=${SHA} >> $GITHUB_OUTPUT | |
CILIUM_INSTALL_DEFAULTS+=" --helm-set=image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ | |
--helm-set=image.useDigest=false \ | |
--helm-set=image.tag=${SHA} \ | |
--helm-set=operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ | |
--helm-set=operator.image.suffix=-ci \ | |
--helm-set=operator.image.tag=${SHA} \ | |
--helm-set=operator.image.useDigest=false \ | |
--helm-set=clustermesh.apiserver.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci \ | |
--helm-set=clustermesh.apiserver.image.tag=${SHA} \ | |
--helm-set=clustermesh.apiserver.image.useDigest=false \ | |
--helm-set=hubble.relay.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ | |
--helm-set=hubble.relay.image.tag=${SHA} \ | |
--helm-set=hubble.relay.image.useDigest=false" | |
fi | |
CILIUM_INSTALL_DEFAULTS+=" --datapath-mode=${{ matrix.mode }}" | |
if [ "${{ matrix.encryption }}" = "ipsec" ] ; then | |
CILIUM_INSTALL_DEFAULTS+=" --helm-set=encryption.enabled=true --helm-set=encryption.type=ipsec" | |
fi | |
if [ "${{ matrix.encryption }}" = "wireguard" ] ; then | |
CILIUM_INSTALL_DEFAULTS+=" --helm-set=encryption.enabled=true --helm-set=encryption.type=wireguard" | |
fi | |
CILIUM_INSTALL_DEFAULTS+=" ${{ env.CILIUM_INSTALL_NET_PERF_EXTRA_ARGS }}" | |
echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT | |
echo owner=${OWNER} >> $GITHUB_OUTPUT | |
- name: Set up gcloud credentials | |
id: 'auth' | |
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
with: | |
workload_identity_provider: ${{ secrets.GCP_PERF_WORKLOAD_IDENTITY_PROVIDER }} | |
service_account: ${{ secrets.GCP_PERF_SA }} | |
create_credentials_file: true | |
export_environment_variables: true | |
- name: Set up gcloud CLI | |
uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 | |
with: | |
project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} | |
version: ${{ env.gcloud_version }} | |
- name: Install gke-gcloud-auth-plugin | |
run: | | |
gcloud components install gke-gcloud-auth-plugin | |
- name: Display gcloud CLI info | |
run: | | |
gcloud info | |
- name: Create GKE cluster | |
run: | | |
gcloud container clusters create ${{ env.clusterName }}-${{ matrix.index }} \ | |
--labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ | |
--zone ${{ env.gcp_zone }} \ | |
--cluster-version ${{ env.k8s_version }} \ | |
--enable-ip-alias \ | |
--create-subnetwork="range=/26" \ | |
--cluster-ipv4-cidr="/21" \ | |
--services-ipv4-cidr="/24" \ | |
--image-type COS_CONTAINERD \ | |
--num-nodes 2 \ | |
--machine-type n2-standard-2 \ | |
--disk-type pd-standard \ | |
--disk-size 20GB \ | |
--node-taints ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready=true:NoExecute | |
- name: Get cluster credentials | |
run: | | |
gcloud container clusters get-credentials ${{ env.clusterName }}-${{ matrix.index }} --zone ${{ env.gcp_zone }} | |
- name: Install Cilium CLI | |
uses: cilium/cilium-cli@3286926bbf80fdd0103a372256459e577224f9f6 # v0.16.20 | |
with: | |
skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} | |
image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} | |
image-tag: ${{ steps.vars.outputs.sha }} | |
- name: Wait for images to be available | |
timeout-minutes: 30 | |
shell: bash | |
run: | | |
for image in cilium-ci operator-generic-ci hubble-relay-ci ; do | |
until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done | |
done | |
- name: Create custom IPsec secret | |
if: ${{ matrix.encryption == 'ipsec' }} | |
run: | | |
kubectl create -n kube-system secret generic cilium-ipsec-keys \ | |
--from-literal=keys="3+ rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" | |
- name: Install Cilium | |
id: install-cilium | |
run: | | |
cilium install --dry-run-helm-values ${{ steps.vars.outputs.cilium_install_defaults }} | |
cilium install ${{ steps.vars.outputs.cilium_install_defaults }} | |
- name: Wait for Cilium to be ready | |
run: | | |
cilium status --wait --wait-duration=10m | |
kubectl get pods -n kube-system | |
kubectl -n kube-system exec daemonset/cilium -- cilium-dbg status | |
- name: Run perf test (${{ matrix.name }}) | |
id: run-perf | |
run: | | |
mkdir output | |
cilium connectivity perf --duration=30s --host-net=true --pod-net=true --report-dir=./output | |
sudo chmod -R +r ./output | |
- name: Get sysdump | |
if: ${{ always() && steps.run-perf.outcome != 'skipped' && steps.run-perf.outcome != 'cancelled' }} | |
run: | | |
cilium status | |
cilium sysdump --output-filename cilium-sysdump-final | |
sudo chmod +r cilium-sysdump-final.zip | |
- name: Clean up GKE | |
if: ${{ always() }} | |
run: | | |
while [ "$(gcloud container operations list --zone ${{ env.gcp_zone }} --filter="status=RUNNING AND targetLink~${{ env.clusterName }}-${{ matrix.index }}" --format="value(name)")" ];do | |
echo "cluster has an ongoing operation, waiting for all operations to finish"; sleep 15 | |
done | |
gcloud container clusters delete ${{ env.clusterName }}-${{ matrix.index }} --zone ${{ env.gcp_zone }} --quiet --async | |
shell: bash {0} # Disable default fail-fast behavior so that all commands run independently | |
- name: Export results and sysdump to GS bucket | |
if: ${{ always() && steps.run-perf.outcome != 'skipped' && steps.run-perf.outcome != 'cancelled' }} | |
uses: cilium/scale-tests-action/export-results@d3ecfd83003f3e9c98ba125ca14933401d44918f # main | |
with: | |
test_name: ${{ env.test_name }}-${{ matrix.name }} | |
results_bucket: ${{ env.GCP_PERF_RESULTS_BUCKET }} | |
artifacts: ./output/* | |
other_files: cilium-sysdump-final.zip | |
commit-status-final: | |
if: ${{ always() }} | |
name: Commit Status Final | |
needs: installation-and-perf | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set final commit status | |
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 | |
with: | |
sha: ${{ inputs.SHA || github.sha }} | |
status: ${{ needs.installation-and-perf.result }} |