diff --git a/.github/workflows/build-images-base.yaml b/.github/workflows/build-images-base.yaml deleted file mode 100644 index fe7d2cb64dc4f..0000000000000 --- a/.github/workflows/build-images-base.yaml +++ /dev/null @@ -1,308 +0,0 @@ -name: Base Image Release Build - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - paths: - - images/runtime/** - - images/builder/** - # This workflow can be reused so that renovate can execute this workflow_dispatch: - # run from a different environment than 'release-base-images'. See - # build-images-base-renovate.yaml - workflow_call: - secrets: - QUAY_BASE_RELEASE_USERNAME: - required: true - QUAY_BASE_RELEASE_PASSWORD: - required: true - AUTO_COMMITTER_PEM: - required: true - AUTO_COMMITTER_APP_ID: - required: true - inputs: - environment: - required: true - type: string - default: "release-base-images" - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - build-and-push: - # Skip this workflow for branches that are created by renovate - if: "!startsWith(github.head_ref, 'renovate/')" - name: Build and Push Images - timeout-minutes: 45 - environment: ${{ inputs.environment || 'release-base-images' }} - runs-on: ubuntu-22.04 - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - - - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set-up git - run: | - git config user.name "Cilium Imagebot" - git config user.email "noreply@cilium.io" - - - name: Generating image tag for Cilium-Runtime - id: runtime-tag - run: | - echo tag="$(git ls-tree --full-tree HEAD -- ./images/runtime | awk '{ print $3 }')" >> $GITHUB_OUTPUT - - - name: Checking if tag for Cilium-Runtime already exists - id: cilium-runtime-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Login to quay.io - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }} - password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }} - - - name: Release build cilium-runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_release_runtime - with: - provenance: false - context: ./images/runtime - file: ./images/runtime/Dockerfile - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} - - - name: Sign Container Image Runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }} - - - - name: Generate SBOM - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json - output-file: ./sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} - - - name: Attach SBOM to Container Image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign attach sbom --sbom sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }} - - - name: Sign SBOM Image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - docker_build_release_runtime_digest="${{ steps.docker_build_release_runtime.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${docker_build_release_runtime_digest/:/-}.sbom" - docker_build_release_runtime_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${docker_build_release_runtime_sbom_digest}" - - - name: Image Release Digest Runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - shell: bash - run: | - mkdir -p image-digest/ - echo "## cilium-runtime" > image-digest/cilium-runtime.txt - echo "" >> image-digest/cilium-runtime.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}\`" >> image-digest/cilium-runtime.txt - echo "" >> image-digest/cilium-runtime.txt - - - name: Upload artifact digests runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: image-digest cilium-runtime - path: image-digest - retention-days: 1 - - - name: Update Runtime Image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}" - git commit -sam "images: update cilium-{runtime,builder}" - - - name: Generating image tag for Cilium-Builder - id: builder-tag - run: | - echo tag="$(git ls-tree --full-tree HEAD -- ./images/builder | awk '{ print $3 }')" >> $GITHUB_OUTPUT - - - name: Checking if tag for Cilium-Builder already exists - id: cilium-builder-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Login to quay.io - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' && steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' }} - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }} - password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }} - - - name: Release build cilium-builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_release_builder - with: - provenance: false - context: ./images/builder - file: ./images/builder/Dockerfile - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} - - - name: Sign Container Image Builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }} - - - name: Generate SBOM - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json - output-file: ./sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} - - - name: Attach SBOM to Container Image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign attach sbom --sbom sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }} - - - name: Sign SBOM Image - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - docker_build_release_builder_digest="${{ steps.docker_build_release_builder.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${docker_build_release_builder_digest/:/-}.sbom" - docker_build_release_builder_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${docker_build_release_builder_sbom_digest}" - - - name: Image Release Digest Builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - shell: bash - run: | - mkdir -p image-digest/ - echo "## cilium-builder" > image-digest/cilium-builder.txt - echo "" >> image-digest/cilium-builder.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}\`" >> image-digest/cilium-builder.txt - echo "" >> image-digest/cilium-builder.txt - - - name: Upload artifact digests builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: image-digest cilium-builder - path: image-digest - retention-days: 1 - - - name: Update Runtime Images - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}" - - - name: Update Builder Images - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}" - - - name: Commit changes by amending previous commit - # Run this step in case we have committed the cilium-runtime changes before - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - git commit --amend -sam "images: update cilium-{runtime,builder}" - - - name: Commit changes - # Run this step in case we have NOT committed the cilium-runtime changes before - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' && steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - git commit -sam "images: update cilium-{runtime,builder}" - - - name: Get token - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' || steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }} - APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }} - - - name: Push changes into PR - env: - REF: ${{ github.event.pull_request.head.ref || github.ref }} - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' || steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - git diff HEAD^ - git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.QUAY_ORGANIZATION }}/cilium.git HEAD:"$REF" - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: image-digest/ - pattern: "*image-digest *" - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-beta.yaml b/.github/workflows/build-images-beta.yaml deleted file mode 100644 index ad6b1fe6b4d51..0000000000000 --- a/.github/workflows/build-images-beta.yaml +++ /dev/null @@ -1,181 +0,0 @@ -name: Beta Image Release Build - -on: - workflow_dispatch: - inputs: - tag: - description: 'Docker Image Tag' - required: true - suffix: - description: 'Docker Image Suffix (e.g. "beta" -> "cilium-beta")' - required: true - default: "beta" - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - build-and-push: - timeout-minutes: 45 - name: Build and Push Images - environment: release-beta-images - runs-on: ubuntu-22.04 - strategy: - matrix: - include: - - name: cilium - dockerfile: ./images/cilium/Dockerfile - - - name: operator - dockerfile: ./images/operator/Dockerfile - - - name: operator-aws - dockerfile: ./images/operator/Dockerfile - - - name: operator-azure - dockerfile: ./images/operator/Dockerfile - - - name: operator-alibabacloud - dockerfile: ./images/operator/Dockerfile - - - name: operator-generic - dockerfile: ./images/operator/Dockerfile - - - name: hubble-relay - dockerfile: ./images/hubble-relay/Dockerfile - - - name: clustermesh-apiserver - dockerfile: ./images/clustermesh-apiserver/Dockerfile - - - name: docker-plugin - dockerfile: ./images/cilium-docker-plugin/Dockerfile - - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - - name: Login to quay.io - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_BETA_USERNAME }} - password: ${{ secrets.QUAY_BETA_PASSWORD }} - - - name: Getting image tag - id: tag - run: | - echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT - - - name: Checking if tag already exists - id: tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} &>/dev/null; then - echo "Tag already exists!" - exit 1 - fi - - - name: Checkout Source Code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_release - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - - name: Sign Container Image - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }} - - - name: Generate SBOM - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx.json - output-file: ./sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} - - - name: Attach SBOM to Container Image - run: | - cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }} - - - name: Sign SBOM Image - run: | - docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${docker_build_release_digest/:/-}.sbom" - docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${docker_build_release_sbom_digest}" - - - name: Image Release Digest - shell: bash - run: | - mkdir -p image-digest/ - echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: image-digest ${{ matrix.name }} - path: image-digest - retention-days: 1 - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: image-digest/ - pattern: "*image-digest *" - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-ci.yaml b/.github/workflows/build-images-ci.yaml deleted file mode 100644 index 6d0d25d4ef121..0000000000000 --- a/.github/workflows/build-images-ci.yaml +++ /dev/null @@ -1,455 +0,0 @@ -name: Image CI Build - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - push: - branches: - - v1.15 - - ft/v1.15/** - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - build-and-push-prs: - timeout-minutes: 45 - name: Build and Push Images - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - strategy: - matrix: - include: - - name: cilium - dockerfile: ./images/cilium/Dockerfile - - - name: operator-aws - dockerfile: ./images/operator/Dockerfile - - - name: operator-azure - dockerfile: ./images/operator/Dockerfile - - - name: operator-alibabacloud - dockerfile: ./images/operator/Dockerfile - - - name: operator-generic - dockerfile: ./images/operator/Dockerfile - - - name: hubble-relay - dockerfile: ./images/hubble-relay/Dockerfile - - - name: clustermesh-apiserver - dockerfile: ./images/clustermesh-apiserver/Dockerfile - - - name: docker-plugin - dockerfile: ./images/cilium-docker-plugin/Dockerfile - - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - - name: Login to quay.io for CI - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME_CI }} - password: ${{ secrets.QUAY_PASSWORD_CI }} - - - name: Getting image tag - id: tag - run: | - if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then - echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT - else - echo tag=${{ github.sha }} >> $GITHUB_OUTPUT - fi - if [ "${{ github.ref_name }}" == "${{ github.event.repository.default_branch }}" ]; then - echo floating_tag=latest >> $GITHUB_OUTPUT - else - echo floating_tag=${{ github.ref_name }} >> $GITHUB_OUTPUT - fi - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - ref: ${{ steps.tag.outputs.tag }} - - # Load Golang cache build from GitHub - - name: Load ${{ matrix.name }} Golang cache build from GitHub - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.cache/${{ matrix.name }} - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}- - ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}- - ${{ runner.os }}-go- - - - name: Create ${{ matrix.name }} cache directory - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.cache/${{ matrix.name }} - - # Import GitHub's cache build to docker cache - - name: Copy ${{ matrix.name }} Golang cache to docker cache - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - with: - provenance: false - context: /tmp/.cache/${{ matrix.name }} - file: ./images/cache/Dockerfile - push: false - platforms: linux/amd64 - target: import-cache - - - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - # main branch pushes - - name: CI Build ${{ matrix.name }} - if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_ci - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - # Only push when the event name was a GitHub push, this is to avoid - # re-pushing the image tags when we only want to re-create the Golang - # docker cache after the workflow "Image CI Cache Cleaner" was terminated. - push: ${{ github.event_name == 'push' }} - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }} - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: CI race detection Build ${{ matrix.name }} - if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_ci_detect_race_condition - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - # Only push when the event name was a GitHub push, this is to avoid - # re-pushing the image tags when we only want to re-create the Golang - # docker cache after the workflow "Image CI Cache Cleaner" was terminated. - push: ${{ github.event_name == 'push' }} - platforms: linux/amd64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race - target: release - build-args: | - BASE_IMAGE=quay.io/cilium/cilium-runtime:f47aeb07386efd859ae302256447fc51e4956a0f@sha256:ed33c92c070ae5f269c014fe3dca4104b62d042664ce3ec63f5f04604e372c71 - MODIFIERS="LOCKDEBUG=1 RACE=1" - OPERATOR_VARIANT=${{ matrix.name }} - - - name: CI Unstripped Binaries Build ${{ matrix.name }} - if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_ci_unstripped - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - # Only push when the event name was a GitHub push, this is to avoid - # re-pushing the image tags when we only want to re-create the Golang - # docker cache after the workflow "Image CI Cache Cleaner" was terminated. - push: ${{ github.event_name == 'push' }} - platforms: linux/amd64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped - target: release - build-args: | - MODIFIERS="NOSTRIP=1" - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Sign Container Images - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }} - - - name: Generate SBOM - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - output-file: ./sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} - - - name: Generate SBOM (race) - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - output-file: ./sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race - - - name: Generate SBOM (unstripped) - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - output-file: ./sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped - - - name: Attach SBOM to Container Images - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - run: | - cosign attach sbom --sbom sbom_ci_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci.outputs.digest }} - cosign attach sbom --sbom sbom_ci_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }} - cosign attach sbom --sbom sbom_ci_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_unstripped.outputs.digest }} - - - name: Sign SBOM Images - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - run: | - docker_build_ci_digest="${{ steps.docker_build_ci.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_digest/:/-}.sbom" - docker_build_ci_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_sbom_digest}" - - docker_build_ci_detect_race_condition_digest="${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_detect_race_condition_digest/:/-}.sbom" - docker_build_ci_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_detect_race_condition_sbom_digest}" - - docker_build_ci_unstripped_digest="${{ steps.docker_build_ci_unstripped.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_unstripped_digest/:/-}.sbom" - docker_build_ci_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_unstripped_sbom_digest}" - - - name: CI Image Releases digests - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - shell: bash - run: | - mkdir -p image-digest/ - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}@${{ steps.docker_build_ci.outputs.digest }}" > image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - - # PR or feature branch updates - - name: CI Build ${{ matrix.name }} - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_ci_pr - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: CI race detection Build ${{ matrix.name }} - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_ci_pr_detect_race_condition - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race - target: release - build-args: | - BASE_IMAGE=quay.io/cilium/cilium-runtime:f47aeb07386efd859ae302256447fc51e4956a0f@sha256:ed33c92c070ae5f269c014fe3dca4104b62d042664ce3ec63f5f04604e372c71 - MODIFIERS="LOCKDEBUG=1 RACE=1" - OPERATOR_VARIANT=${{ matrix.name }} - - - name: CI Unstripped Binaries Build ${{ matrix.name }} - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_ci_pr_unstripped - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped - target: release - build-args: | - MODIFIERS="NOSTRIP=1" - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Sign Container Images - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }} - - - name: Generate SBOM - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - output-file: ./sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} - - - name: Generate SBOM (race) - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - output-file: ./sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race - - - name: Generate SBOM (unstripped) - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - output-file: ./sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped - - - name: Attach SBOM to Container Images - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - run: | - cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} - cosign attach sbom --sbom sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }} - cosign attach sbom --sbom sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }} - - - name: Sign SBOM Images - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - run: | - docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom" - docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}" - - docker_build_ci_pr_detect_race_condition_digest="${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_detect_race_condition_digest/:/-}.sbom" - docker_build_ci_pr_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_detect_race_condition_sbom_digest}" - - docker_build_ci_pr_unstripped_digest="${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_unstripped_digest/:/-}.sbom" - docker_build_ci_pr_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_unstripped_sbom_digest}" - - - name: CI Image Releases digests - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - shell: bash - run: | - mkdir -p image-digest/ - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: image-digest ${{ matrix.name }} - path: image-digest - retention-days: 1 - - # Store docker's golang's cache build locally only on the main branch - - name: Store ${{ matrix.name }} Golang cache build locally - if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - with: - provenance: false - context: . - file: ./images/cache/Dockerfile - push: false - outputs: type=local,dest=/tmp/docker-cache-${{ matrix.name }} - platforms: linux/amd64 - target: export-cache - - # Store docker's golang's cache build locally only on the main branch - - name: Store ${{ matrix.name }} Golang cache in GitHub cache path - if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' && github.ref_name == github.event.repository.default_branch }} - shell: bash - run: | - mkdir -p /tmp/.cache/${{ matrix.name }}/ - if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz ]; then - cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ - fi - if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz ]; then - cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ - fi - - image-digests: - if: ${{ always() }} - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push-prs - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: image-digest/ - pattern: "*image-digest *" - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-docs-builder.yaml b/.github/workflows/build-images-docs-builder.yaml deleted file mode 100644 index 1dc2d9075f448..0000000000000 --- a/.github/workflows/build-images-docs-builder.yaml +++ /dev/null @@ -1,180 +0,0 @@ -name: Docs-builder Image Build - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - paths: - - Documentation/Dockerfile - - Documentation/requirements.txt - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -jobs: - build-and-push: - name: Build and Push Image - runs-on: ubuntu-22.04 - timeout-minutes: 30 - environment: docs-builder - outputs: - tag: ${{ steps.docs-builder-tag.outputs.tag }} - digest: ${{ steps.docker-build-docs-builder.outputs.digest }} - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set environment variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - - - name: Generate image tag for docs-builder - id: docs-builder-tag - run: | - echo tag="$(git ls-tree --full-tree HEAD -- ./Documentation | awk '{ print $3 }')" >> $GITHUB_OUTPUT - - - name: Check if tag for docs-builder already exists - id: docs-builder-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ steps.docs-builder-tag.outputs.tag }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Login to quay.io - if: ${{ steps.docs-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_DOCS_BUILDER_USERNAME }} - password: ${{ secrets.QUAY_DOCS_BUILDER_PASSWORD }} - logout: true - - - name: Build docs-builder image - if: ${{ steps.docs-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker-build-docs-builder - with: - provenance: false - context: ./Documentation - file: ./Documentation/Dockerfile - push: true - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ steps.docs-builder-tag.outputs.tag }} - - # Use a separate job for the steps below, to ensure we're no longer logged - # into Quay.io. - update-pr: - name: Update Pull Request with new image reference - needs: build-and-push - if: needs.build-and-push.outputs.digest - runs-on: ubuntu-22.04 - timeout-minutes: 10 - environment: docs-builder - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set environment variables - uses: ./.github/actions/set-env-variables - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set up git - run: | - git config user.name "Cilium Imagebot" - git config user.email "noreply@cilium.io" - - - name: Update docs-builder image reference in CI workflow - run: | - NEW_IMAGE="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ needs.build-and-push.outputs.tag }}@${{ needs.build-and-push.outputs.digest }}" - # Run in Docker to prevent the script from accessing the environment. - docker run --rm -v $PWD:/cilium -w /cilium "${NEW_IMAGE}" \ - bash -c "git config --global --add safe.directory /cilium && \ - /cilium/Documentation/update-docs-builder-image.sh ${NEW_IMAGE}" - git commit -sam "ci: update docs-builder" - - - name: Get token - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }} - APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }} - - - name: Push changes into PR - env: - REF: ${{ github.event.pull_request.head.ref }} - run: | - git diff HEAD^ - git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.QUAY_ORGANIZATION }}/cilium.git HEAD:"$REF" - - image-digest: - name: Retrieve and display image digest - needs: build-and-push - if: needs.build-and-push.outputs.digest - runs-on: ubuntu-22.04 - timeout-minutes: 10 - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set environment variables - uses: ./.github/actions/set-env-variables - - - name: Retrieve image digest - shell: bash - run: | - NEW_IMAGE="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ needs.build-and-push.outputs.tag }}@${{ needs.build-and-push.outputs.digest }}" - mkdir -p image-digest/ - echo "## docs-builder" > image-digest/docs-builder.txt - echo "" >> image-digest/docs-builder.txt - echo "\`${NEW_IMAGE}\`" >> image-digest/docs-builder.txt - echo "" >> image-digest/docs-builder.txt - - - name: Upload artifact digests - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: image-digest docs-builder - path: image-digest - retention-days: 1 - - - name: Output image digest - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-hotfixes.yaml b/.github/workflows/build-images-hotfixes.yaml deleted file mode 100644 index 85ebe825bbfab..0000000000000 --- a/.github/workflows/build-images-hotfixes.yaml +++ /dev/null @@ -1,175 +0,0 @@ -name: Hot Fix Image Release Build - -on: - push: - branches: - - hf/v1.15/** - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -jobs: - build-and-push: - timeout-minutes: 45 - name: Build and Push Images - environment: release-developer-images - runs-on: ubuntu-22.04 - strategy: - matrix: - include: - - name: cilium - dockerfile: ./images/cilium/Dockerfile - - - name: operator - dockerfile: ./images/operator/Dockerfile - - - name: operator-aws - dockerfile: ./images/operator/Dockerfile - - - name: operator-azure - dockerfile: ./images/operator/Dockerfile - - - name: operator-alibabacloud - dockerfile: ./images/operator/Dockerfile - - - name: operator-generic - dockerfile: ./images/operator/Dockerfile - - - name: hubble-relay - dockerfile: ./images/hubble-relay/Dockerfile - - - name: clustermesh-apiserver - dockerfile: ./images/clustermesh-apiserver/Dockerfile - - - name: docker-plugin - dockerfile: ./images/cilium-docker-plugin/Dockerfile - - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - - - name: Login to quay.io - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_DEVELOPER_USERNAME }} - password: ${{ secrets.QUAY_DEVELOPER_PASSWORD }} - - - name: Getting image tag - id: tag - run: | - echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT - - - name: Checking if tag already exists - id: tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} &>/dev/null; then - echo "Tag already exists!" - exit 1 - fi - - - name: Checkout Source Code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0 - id: docker_build_release - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - - name: Sign Container Image - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }} - - - name: Generate SBOM - uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0 - with: - artifact-name: sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - output-file: ./sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json - image: quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} - - - name: Attach SBOM to Container Images - run: | - cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }} - cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx.json quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }} - - - name: Sign SBOM Image - run: | - docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${docker_build_release_digest/:/-}.sbom" - docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${docker_build_release_sbom_digest}" - - docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_release_digest/:/-}.sbom" - docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_release_sbom_digest}" - - - name: Image Release Digest - shell: bash - run: | - mkdir -p image-digest/ - echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: image-digest ${{ matrix.name }} - path: image-digest - retention-days: 1 - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: image-digest/ - pattern: "*image-digest *" - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/conformance-aks.yaml b/.github/workflows/conformance-aks.yaml deleted file mode 100644 index f9dce36bd7fca..0000000000000 --- a/.github/workflows/conformance-aks.yaml +++ /dev/null @@ -1,400 +0,0 @@ -name: Conformance AKS (ci-aks) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - # Run every 6 hours - schedule: - - cron: '0 0/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - # Required to generate OIDC tokens for `az` authentication - id-token: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cost_reduction: --node-vm-size Standard_B2s --node-osdisk-size 30 - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - empty: ${{ steps.set-matrix.outputs.empty }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/azure" - destination_directory="/tmp/generated/azure" - mkdir -p "${destination_directory}" - - yq -o=json "${work_dir}/k8s-versions.yaml" | jq . > "${destination_directory}/azure.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/azure - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - jq '{ "include": [ .include[] | select(.disabled==null) ] }' azure.json > /tmp/matrix.json - else - jq '{ "include": [ .include[] | select(.default) ] }' azure.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - - name: Login to Azure - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - creds: ${{ secrets.AZURE_PR_SP_CREDS }} - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.include[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - LOCATION=$(echo $i | jq -r '.location') - az aks get-versions --location $LOCATION > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is valid for location $LOCATION" - else - echo "::notice::Removing version $VERSION as it's not valid for location $LOCATION" - jq 'del(.include[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.include | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 60 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Override cluster name - run: | - # Extend default name with matrix index to avoid cluster name conflicts - NAME=${{ env.name }}-${{ matrix.index }} - echo "name=${NAME}" >> "$GITHUB_ENV" - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.name }} \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --helm-set=azure.resourceGroup=${{ env.name }} \ - --helm-set ipam.operator.clusterPoolIPv4PodCIDRList=192.168.0.0/16" # To avoid clashing with the default Service CIDR of AKS (10.0.0.0/16) - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled \ - --hubble=false --collect-sysdump-on-failure --external-target bing.com. --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Login to Azure - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - creds: ${{ secrets.AZURE_PR_SP_CREDS }} - - - name: Create AKS cluster - run: | - # Create group - az group create \ - --name ${{ env.name }} \ - --location ${{ matrix.location }} \ - --tags usage=${{ github.repository_owner }}-${{ github.event.repository.name }} owner=${{ steps.vars.outputs.owner }} - - # Create AKS cluster - az aks create \ - --resource-group ${{ env.name }} \ - --name ${{ env.name }} \ - --location ${{ matrix.location }} \ - --kubernetes-version ${{ matrix.version }} \ - --network-plugin none \ - --node-count 2 \ - ${{ env.cost_reduction }} \ - --generate-ssh-keys - - - name: Get cluster credentials - run: | - az aks get-credentials \ - --resource-group ${{ env.name }} \ - --name ${{ env.name }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-azure-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Enable Relay - run: | - cilium hubble enable - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait --wait-duration=10m - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}) - 1.xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Clean up Cilium - run: | - pkill -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" || test $? -eq 1 - cilium uninstall --wait - - - name: Create custom IPsec secret - run: | - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="15 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - - name: Install Cilium with encryption - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set encryption.enabled=true \ - --helm-set encryption.type=ipsec - - - name: Enable Relay - run: | - cilium hubble enable - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait --wait-duration=10m - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Run connectivity test with IPSec (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} --force-deploy \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}) - 2.xml" \ - --junit-property github_job_step="Run connectivity test with IPSec (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Clean up AKS - if: ${{ always() }} - run: | - az group delete --name ${{ env.name }} --yes --no-wait - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.index }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.index }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() && needs.installation-and-connectivity.result != 'skipped' }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result != 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result == 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ github.event_name != 'schedule' && 'success' || 'failure' }} - description: 'Skipped' diff --git a/.github/workflows/conformance-aws-cni.yaml b/.github/workflows/conformance-aws-cni.yaml deleted file mode 100644 index dc62731ef8520..0000000000000 --- a/.github/workflows/conformance-aws-cni.yaml +++ /dev/null @@ -1,402 +0,0 @@ -name: Conformance AWS-CNI (ci-awscni) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - # renovate: datasource=github-releases depName=eksctl-io/eksctl - eksctl_version: v0.188.0 - # renovate: datasource=github-releases depName=kubernetes/kubernetes - kubectl_version: v1.30.3 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - empty: ${{ steps.set-matrix.outputs.empty }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/aws" - destination_directory="/tmp/generated/aws" - mkdir -p "${destination_directory}" - - yq -o=json "${work_dir}/k8s-versions.yaml" | jq . > "${destination_directory}/aws.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/aws - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - cp aws.json /tmp/matrix.json - else - jq '{ "include": [ .include[] | select(.default) ] }' aws.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - # We use latest eksctl just to fetch recent supported versions. - # We don't use that eksctl to create cluster. - # Eksctl has hardcoded list of supported versions in the binary. - # This is hack until https://github.com/aws/containers-roadmap/issues/982 is resolved. - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.include[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - eksctl version -o json | jq -r '.EKSServerSupportedVersions[]' > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is supported" - else - echo "::notice::Removing version $VERSION as it's not supported" - jq 'del(.include[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.include | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 45 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - # Set ipam.mode=cluster-pool to overwrite the ipam value set by the - # cilium-cli which is setting it to 'eni' because it auto-detects - # the cluster as being EKS. - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=cluster.name=${{ env.clusterName }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=enableIPv4Masquerade=false \ - --helm-set=cni.chainingMode=aws-cni \ - --helm-set=eni.enabled=false \ - --helm-set=ipam.mode=cluster-pool \ - --helm-set=routingMode=native \ - --helm-set=bandwidthManager.enabled=false \ - --wait=false" - - # L7 policies are not supported in chaining mode. - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --test '!fqdn,!l7' --external-target amazon.com. --external-ip 1.0.0.1 --external-other-ip 1.1.1.1" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Install kubectl - run: | - curl -sLO "https://dl.k8s.io/release/${{ env.kubectl_version }}/bin/linux/amd64/kubectl" - curl -sLO "https://dl.k8s.io/${{ env.kubectl_version }}/bin/linux/amd64/kubectl.sha256" - echo "$(cat kubectl.sha256) kubectl" | sha256sum --check - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - kubectl version --client - - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - aws-access-key-id: ${{ secrets.AWS_PR_SA_ID }} - aws-secret-access-key: ${{ secrets.AWS_PR_SA_KEY }} - aws-region: ${{ matrix.region }} - - - name: Create EKS cluster - uses: ./.github/actions/setup-eks-cluster - with: - cluster_name: ${{ env.clusterName }} - region: ${{ matrix.region }} - owner: "${{ steps.vars.outputs.owner }}" - version: ${{ matrix.version }} - spot: false - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait --wait-duration=10m - kubectl get pods -n kube-system - - - name: Check that AWS iptables chains have not been removed - run: | - for pod in $(kubectl get po -n kube-system -l app.kubernetes.io/name=cilium-agent -o name); do - echo "Checking ${pod}" - if ! kubectl exec -n kube-system ${pod} -c cilium-agent -- iptables-save | grep --silent ':AWS'; then - echo "Expected AWS iptables chains are not present" - exit 1 - fi - done - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.version }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.version }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() && needs.installation-and-connectivity.result != 'skipped' }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result != 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result == 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ github.event_name != 'schedule' && 'success' || 'failure' }} - description: 'Skipped' - - - cleanup: - name: Cleanup EKS Clusters - if: ${{ always() && needs.generate-matrix.outputs.empty == 'false' }} - continue-on-error: true - needs: [generate-matrix, installation-and-connectivity] - runs-on: ubuntu-latest - timeout-minutes: 45 - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - aws-access-key-id: ${{ secrets.AWS_PR_SA_ID }} - aws-secret-access-key: ${{ secrets.AWS_PR_SA_KEY }} - aws-region: ${{ matrix.region }} - - - name: Clean up EKS - run: | - eksctl delete cluster --name ${{ env.clusterName }} --region ${{ matrix.region }} diff --git a/.github/workflows/conformance-clustermesh.yaml b/.github/workflows/conformance-clustermesh.yaml deleted file mode 100644 index e2727ef32f847..0000000000000 --- a/.github/workflows/conformance-clustermesh.yaml +++ /dev/null @@ -1,635 +0,0 @@ -name: Conformance Cluster Mesh (ci-clustermesh) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - v1.15 - - ft/v1.15/** - - 'renovate/v1.15-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - clusterName1: cluster1-${{ github.run_id }} - clusterName2: cluster2-${{ github.run_id }} - contextName1: kind-cluster1-${{ github.run_id }} - contextName2: kind-cluster2-${{ github.run_id }} - - # renovate: datasource=github-releases depName=cert-manager/cert-manager - CERT_MANAGER_VERSION: v1.15.2 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - installation-and-connectivity: - name: Installation and Connectivity Test - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - timeout-minutes: 60 - env: - job_name: "Installation and Connectivity Test" - - strategy: - fail-fast: false - matrix: - include: - - name: '1' - tunnel: 'disabled' - ipfamily: 'ipv4' - encryption: 'disabled' - kube-proxy: 'iptables' - mode: 'kvstoremesh' - tls-auto-method: helm - cm-auth-mode-1: 'legacy' - cm-auth-mode-2: 'legacy' - maxConnectedClusters: '255' - - - name: '2' - tunnel: 'disabled' - ipfamily: 'dual' - encryption: 'wireguard' - kube-proxy: 'none' - mode: 'clustermesh' - tls-auto-method: cronJob - cm-auth-mode-1: 'migration' - cm-auth-mode-2: 'migration' - maxConnectedClusters: '511' - - # IPsec encryption cannot be used with BPF NodePort. - - name: '3' - tunnel: 'disabled' - ipfamily: 'dual' - encryption: 'ipsec' - kube-proxy: 'iptables' - mode: 'kvstoremesh' - tls-auto-method: certmanager - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - - # IPsec encryption is currently not supported in case of ipv6-only clusters (#23553) - # Wireguard encryption is currently affected by a bug in case of ipv6-only clusters (#23917) - - name: '4' - tunnel: 'disabled' - ipfamily: 'ipv6' - encryption: 'disabled' - kube-proxy: 'none' - mode: 'clustermesh' - tls-auto-method: certmanager - cm-auth-mode-1: 'legacy' - cm-auth-mode-2: 'migration' - maxConnectedClusters: '255' - - # IPsec encryption cannot be used with BPF NodePort. - - name: '5' - tunnel: 'disabled' - ipfamily: 'dual' - encryption: 'ipsec' - kube-proxy: 'iptables' - mode: 'external' - tls-auto-method: helm - maxConnectedClusters: '255' - - - name: '6' - tunnel: 'vxlan' - ipfamily: 'ipv4' - encryption: 'disabled' - kube-proxy: 'none' - mode: 'clustermesh' - tls-auto-method: helm - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - - - name: '7' - tunnel: 'geneve' - ipfamily: 'dual' - encryption: 'wireguard' - kube-proxy: 'iptables' - mode: 'kvstoremesh' - tls-auto-method: cronJob - cm-auth-mode-1: 'migration' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '511' - - # IPsec encryption cannot be used with BPF NodePort. - - name: '8' - tunnel: 'vxlan' - ipfamily: 'dual' - encryption: 'ipsec' - kube-proxy: 'iptables' - mode: 'clustermesh' - tls-auto-method: certmanager - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - - # Tunneling is currently not supported in case of ipv6-only clusters (#17240) - # - name: '9' - # tunnel: 'vxlan' - # ipfamily: 'ipv6' - # encryption: 'disabled' - # kube-proxy: 'none' - # mode: 'kvstoremesh' - # tls-auto-method: certmanager - # cm-auth-mode-1: 'cluster' - # cm-auth-mode-2: 'cluster' - - - name: '10' - tunnel: 'vxlan' - ipfamily: 'dual' - encryption: 'wireguard' - kube-proxy: 'iptables' - mode: 'external' - tls-auto-method: helm - maxConnectedClusters: '511' - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables for GHA environment - id: vars - run: | - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=kubeProxyReplacement=${{ matrix.kube-proxy == 'none' }} \ - --helm-set=bpf.masquerade=${{ matrix.kube-proxy == 'none' }} \ - --helm-set=hubble.enabled=true \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=hubble.tls.auto.method=${{ matrix.tls-auto-method }} \ - --helm-set=hubble.tls.auto.certManagerIssuerRef.group=cert-manager.io \ - --helm-set=hubble.tls.auto.certManagerIssuerRef.kind=Issuer \ - --helm-set=hubble.tls.auto.certManagerIssuerRef.name=cilium \ - --helm-set=clustermesh.useAPIServer=${{ matrix.mode != 'external' }} \ - --helm-set=clustermesh.apiserver.kvstoremesh.enabled=${{ matrix.mode == 'kvstoremesh' }} \ - --helm-set=clustermesh.maxConnectedClusters=${{ matrix.maxConnectedClusters }} \ - --helm-set=clustermesh.apiserver.tls.auto.method=${{ matrix.tls-auto-method }} \ - --helm-set=clustermesh.apiserver.tls.auto.certManagerIssuerRef.group=cert-manager.io \ - --helm-set=clustermesh.apiserver.tls.auto.certManagerIssuerRef.kind=Issuer \ - --helm-set=clustermesh.apiserver.tls.auto.certManagerIssuerRef.name=cilium \ - " - - CILIUM_INSTALL_TUNNEL="--helm-set=tunnelProtocol=${{ matrix.tunnel }}" - if [ "${{ matrix.tunnel }}" == "disabled" ]; then - CILIUM_INSTALL_TUNNEL="--helm-set-string=routingMode=native \ - --helm-set=autoDirectNodeRoutes=true \ - --helm-set=ipv4NativeRoutingCIDR=10.240.0.0/12 \ - --helm-set=ipv6NativeRoutingCIDR=fd00:10:240::/44" - fi - - case "${{ matrix.ipFamily }}" in - ipv4) - CILIUM_INSTALL_IPFAMILY="--helm-set=ipv4.enabled=true --helm-set=ipv6.enabled=false" - KIND_POD_CIDR_1="10.242.0.0/16" - KIND_SVC_CIDR_1="10.243.0.0/16" - KIND_POD_CIDR_2="10.244.0.0/16" - KIND_SVC_CIDR_2="10.245.0.0/16" - ;; - ipv6) - CILIUM_INSTALL_IPFAMILY="--helm-set=ipv4.enabled=false --helm-set=ipv6.enabled=true" - KIND_POD_CIDR_1="fd00:10:242::/48" - KIND_SVC_CIDR_1="fd00:10:243::/112" - KIND_POD_CIDR_2="fd00:10:244::/48" - KIND_SVC_CIDR_2="fd00:10:245::/112" - ;; - dual) - CILIUM_INSTALL_IPFAMILY="--helm-set=ipv4.enabled=true --helm-set=ipv6.enabled=true" - KIND_POD_CIDR_1="10.242.0.0/16,fd00:10:242::/48" - KIND_SVC_CIDR_1="10.243.0.0/16,fd00:10:243::/112" - KIND_POD_CIDR_2="10.244.0.0/16,fd00:10:244::/48" - KIND_SVC_CIDR_2="10.245.0.0/16,fd00:10:245::/112" - ;; - *) - echo "Unknown IP family '${{ matrix.ipFamily }}'" && false - ;; - esac - - CILIUM_INSTALL_ENCRYPTION="" - if [ "${{ matrix.encryption }}" != "disabled" ]; then - CILIUM_INSTALL_ENCRYPTION="--helm-set=encryption.enabled=true \ - --helm-set=encryption.type=${{ matrix.encryption }}" - fi - - CILIUM_INSTALL_INGRESS="" - if [ "${{ matrix.kube-proxy }}" == "none" ]; then - CILIUM_INSTALL_INGRESS="--helm-set=ingressController.enabled=true" - # Once https://github.com/cilium/cilium/issues/31653 is fixed, we can remove tunnel check - # Use the legacy host routing in case of tunnel disabled - if [ "${{ matrix.tunnel }}" == "disabled" ]; then - CILIUM_INSTALL_INGRESS+=" --helm-set=bpf.hostLegacyRouting=true" - fi - fi - - CONNECTIVITY_TEST_DEFAULTS="--hubble=false \ - --flow-validation=disabled \ - --multi-cluster=${{ env.contextName2 }} \ - --external-target=google.com. \ - --include-unsafe-tests \ - --collect-sysdump-on-failure" - - # Skip external traffic (e.g. 1.1.1.1 and www.google.com) tests as IPv6 is not supported - # in GitHub runners: https://github.com/actions/runner-images/issues/668 - if [[ "${{ matrix.ipFamily }}" == "ipv6" ]]; then - CONNECTIVITY_TEST_DEFAULTS="$CONNECTIVITY_TEST_DEFAULTS \ - --test='!/pod-to-world' \ - --test='!/pod-to-cidr'" - fi - - echo cilium_install_defaults="${CILIUM_INSTALL_DEFAULTS} ${CILIUM_INSTALL_TUNNEL} \ - ${CILIUM_INSTALL_IPFAMILY} ${CILIUM_INSTALL_ENCRYPTION} ${CILIUM_INSTALL_INGRESS}" >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - echo kind_pod_cidr_1=${KIND_POD_CIDR_1} >> $GITHUB_OUTPUT - echo kind_svc_cidr_1=${KIND_SVC_CIDR_1} >> $GITHUB_OUTPUT - echo kind_pod_cidr_2=${KIND_POD_CIDR_2} >> $GITHUB_OUTPUT - echo kind_svc_cidr_2=${KIND_SVC_CIDR_2} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Generate Kind configuration files - run: | - PODCIDR=${{ steps.vars.outputs.kind_pod_cidr_1 }} \ - SVCCIDR=${{ steps.vars.outputs.kind_svc_cidr_1 }} \ - IPFAMILY=${{ matrix.ipFamily }} \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster1.yaml - - PODCIDR=${{ steps.vars.outputs.kind_pod_cidr_2 }} \ - SVCCIDR=${{ steps.vars.outputs.kind_svc_cidr_2 }} \ - IPFAMILY=${{ matrix.ipFamily }} \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster2.yaml - - - name: Create Kind cluster 1 - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - cluster_name: ${{ env.clusterName1 }} - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ./.github/kind-config-cluster1.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Create Kind cluster 2 - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - cluster_name: ${{ env.clusterName2 }} - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ./.github/kind-config-cluster2.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Label one of the nodes as external to the cluster - run: | - kubectl --context ${{ env.contextName1 }} label node \ - ${{ env.clusterName1 }}-worker2 cilium.io/no-schedule=true - - # Make sure that coredns uses IPv4-only upstream DNS servers also in case of clusters - # with IP family dual, since IPv6 ones are not reachable and cause spurious failures. - # Additionally, this is also required to workaround #23283. - - name: Configure the coredns nameservers - run: | - COREDNS_PATCH=" - spec: - template: - spec: - dnsPolicy: None - dnsConfig: - nameservers: - - 8.8.4.4 - - 8.8.8.8 - " - - kubectl --context ${{ env.contextName1 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - kubectl --context ${{ env.contextName2 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - - - name: Start kvstore clusters - id: kvstore - if: matrix.mode == 'external' - uses: ./.github/actions/kvstore - with: - clusters: 2 - - - name: Create the secret containing the kvstore credentials - if: matrix.mode == 'external' - run: | - kubectl --context ${{ env.contextName1 }} create -n kube-system -f ${{ steps.kvstore.outputs.cilium_etcd_secrets_path }} - kubectl --context ${{ env.contextName2 }} create -n kube-system -f ${{ steps.kvstore.outputs.cilium_etcd_secrets_path }} - - - name: Install cert-manager CRDs and create Cilium's issuer - if: matrix.tls-auto-method == 'certmanager' - run: | - # Generate the Cilium CA key and certificate - openssl genrsa 4096 > cilium-ca-key.pem - openssl req -new -x509 -nodes -days 1 -key cilium-ca-key.pem -out cilium-ca-crt.pem -subj "/CN=Cilium CA/" - - cat << EOF > issuer.yaml - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: cilium - namespace: kube-system - spec: - ca: - secretName: cilium-root-ca - EOF - - for ctx in ${{ env.contextName1 }} ${{ env.contextName2 }}; do - # Install the cert-manager CRDs - CRD_URL="https://github.com/cert-manager/cert-manager/releases/download/${{ env.CERT_MANAGER_VERSION }}/cert-manager.crds.yaml" - kubectl --context $ctx apply -f $CRD_URL - - # Create the Cilium CA secret - kubectl --context $ctx create -n kube-system secret tls cilium-root-ca \ - --key=cilium-ca-key.pem --cert=cilium-ca-crt.pem - - # Create the cert-manager issuer - kubectl --context $ctx apply -f issuer.yaml - done - - - name: Set clustermesh connection parameters - if: matrix.mode == 'external' - id: clustermesh-vars - run: | - echo "cilium_install_clustermesh= \ - --set=clustermesh.config.enabled=true \ - --set clustermesh.config.clusters[0].name=${{ env.clusterName1 }} \ - --set clustermesh.config.clusters[1].name=${{ env.clusterName2 }} \ - ${{ steps.kvstore.outputs.cilium_install_clustermesh }} \ - " >> $GITHUB_OUTPUT - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Create the IPSec secret in both clusters - if: matrix.encryption == 'ipsec' - run: | - SECRET="3 rfc4106(gcm(aes)) $(openssl rand -hex 20) 128" - kubectl --context ${{ env.contextName1 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - kubectl --context ${{ env.contextName2 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - - - name: Install Cilium in cluster1 - id: install-cilium-cluster1 - env: - KVSTORE_ID: 1 - run: | - # Explicitly configure the NodePort to make sure that it is different in - # each cluster, to workaround #24692 - cilium --context ${{ env.contextName1 }} install \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.clusterName1 }} \ - --helm-set cluster.id=1 \ - --helm-set clustermesh.apiserver.service.nodePort=32379 \ - --helm-set clustermesh.apiserver.tls.authMode=${{ matrix.cm-auth-mode-1 }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_clustermesh }} \ - --nodes-without-cilium - - - name: Copy the Cilium CA secret to cluster2, as they must match - if: matrix.tls-auto-method != 'certmanager' - run: | - kubectl --context ${{ env.contextName1 }} get secret -n kube-system cilium-ca -o yaml | - kubectl --context ${{ env.contextName2 }} create -f - - - - name: Install Cilium in cluster2 - env: - KVSTORE_ID: 2 - run: | - # Explicitly configure the NodePort to make sure that it is different in - # each cluster, to workaround #24692 - cilium --context ${{ env.contextName2 }} install \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.clusterName2 }} \ - --helm-set cluster.id=${{ matrix.maxConnectedClusters }} \ - --helm-set clustermesh.apiserver.service.nodePort=32380 \ - --helm-set clustermesh.apiserver.tls.authMode=${{ matrix.cm-auth-mode-2 }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_clustermesh }} - - - name: Install cert-manager - if: matrix.tls-auto-method == 'certmanager' - run: | - helm repo add jetstack https://charts.jetstack.io - for ctx in ${{ env.contextName1 }} ${{ env.contextName2 }}; do - helm --kube-context $ctx install \ - cert-manager jetstack/cert-manager \ - --namespace cert-manager \ - --create-namespace \ - --version ${{ env.CERT_MANAGER_VERSION }} - done - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait - cilium --context ${{ env.contextName2 }} clustermesh status --wait - - - name: Connect clusters - if: matrix.mode != 'external' - run: | - cilium --context ${{ env.contextName1 }} clustermesh connect --destination-context ${{ env.contextName2 }} - - - name: Wait for cluster mesh status to be ready - if: matrix.mode != 'external' - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait - cilium --context ${{ env.contextName2 }} clustermesh status --wait - - - name: Port forward Relay - run: | - cilium --context ${{ env.contextName1 }} hubble port-forward & - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium-cluster1.outcome != 'skipped' }} - run: | - cilium --context ${{ env.contextName1 }} status - cilium --context ${{ env.contextName1 }} clustermesh status - cilium --context ${{ env.contextName2 }} status - cilium --context ${{ env.contextName2 }} clustermesh status - - kubectl config use-context ${{ env.contextName1 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context1-final-${{ join(matrix.*, '-') }} - - kubectl config use-context ${{ env.contextName2 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context2-final-${{ join(matrix.*, '-') }} - - if [ "${{ matrix.mode }}" == "external" ]; then - for i in {1..2}; do - echo - echo "# Retrieving logs from kvstore$i docker container" - docker logs kvstore$i - done - fi - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.name }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.name }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} diff --git a/.github/workflows/conformance-e2e.yaml b/.github/workflows/conformance-e2e.yaml deleted file mode 100644 index 4f009d44b9b66..0000000000000 --- a/.github/workflows/conformance-e2e.yaml +++ /dev/null @@ -1,462 +0,0 @@ -name: Conformance E2E (ci-e2e) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - runs-on: ubuntu-latest-4cores-16gb - name: 'Setup & Test' - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - include: - # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - # ! NOTE: keep tests-e2e-upgrade.yaml config in sync ! - # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - - - name: '1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '4.19-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - host-fw: 'true' - - - name: '2' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - host-fw: 'true' - - - name: '3' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - endpoint-routes: 'true' - - - name: '4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '5' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'dsr' - endpoint-routes: 'true' - egress-gateway: 'true' - host-fw: 'true' - - - name: '6' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - tunnel: 'vxlan' - lb-mode: 'snat' - egress-gateway: 'true' - host-fw: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - - - name: '7' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.6-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'snat' - egress-gateway: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - - - name: '8' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.6-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'geneve' - endpoint-routes: 'true' - - - name: '9' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'false' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '10' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'false' - lb-mode: 'dsr' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '11' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - - name: '12' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.6-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - - name: '13' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '4.19-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - misc: 'policyCIDRMatchMode=nodes' - - - name: '14' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - egress-gateway: 'true' - lb-acceleration: 'testing-only' - - - name: '15' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.6-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - ingress-controller: 'true' - misc: 'bpf.tproxy=true' - - - name: '16' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - encryption: 'wireguard' - encryption-node: 'false' - host-fw: 'true' - - timeout-minutes: 60 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - - - name: Derive Cilium installation config and junit type - id: cilium-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './untrusted/install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - ingress-controller: ${{ matrix.ingress-controller }} - misc: ${{ matrix.misc }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - binary-name: cilium-cli - binary-dir: ./ - - - name: Set Kind params - id: kind-params - shell: bash - run: | - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - echo params="--xdp --secondary-network \"\" 3 \"\" \"\" ${{ matrix.kube-proxy }} $IP_FAM" >> $GITHUB_OUTPUT - - - name: Provision K8s on LVH VM - uses: ./.github/actions/lvh-kind - with: - test-name: e2e-conformance - kernel: ${{ matrix.kernel }} - kind-params: "${{ steps.kind-params.outputs.params }}" - kind-image: ${{ env.KIND_K8S_IMAGE }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - shell: bash - run: | - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - - export CILIUM_CLI_MODE=helm - ./cilium-cli install ${{ steps.cilium-config.outputs.config }} - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-server --timeout=300s - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-agent --timeout=300s - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium-dbg status - - mkdir -p cilium-junits - - - name: Run tests - shell: bash - run: | - EXTRA=() - if [ "${{ matrix.secondary-network }}" = "true" ]; then - EXTRA+=("--secondary-network-iface=eth1") - fi - - # EXTRA+=("--expected-drop-reasons=+Host datapath not ready") - - # it's fine to ignore the "No egress gateway found" drop reason as this may be caused by the kind=echo pods - # sending traffic while the egressgw policy map is still being populated. - # - # The actual connectivity test will ensure that the map is in sync with the policy and that egressgw traffic - # always go through the correct gateway - EXTRA+=("--expected-drop-reasons=+No egress gateway found") - - ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - "${EXTRA[@]}" \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ matrix.name }}).xml" \ - --junit-property github_job_step="Run tests (${{ matrix.name }})" \ - - - name: Fetch artifacts - if: ${{ !success() && steps.run-tests.outcome != 'skipped' }} - shell: bash - run: | - kubectl get pods --all-namespaces -o wide - ./cilium-cli status - mkdir -p cilium-sysdumps - ./cilium-cli sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.name }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.name }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/conformance-eks.yaml b/.github/workflows/conformance-eks.yaml deleted file mode 100644 index 8c18d5fa53942..0000000000000 --- a/.github/workflows/conformance-eks.yaml +++ /dev/null @@ -1,432 +0,0 @@ -name: Conformance EKS (ci-eks) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - # renovate: datasource=github-releases depName=eksctl-io/eksctl - eksctl_version: v0.188.0 - # renovate: datasource=github-releases depName=kubernetes/kubernetes - kubectl_version: v1.30.3 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - empty: ${{ steps.set-matrix.outputs.empty }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/aws" - destination_directory="/tmp/generated/aws" - mkdir -p "${destination_directory}" - - yq -o=json "${work_dir}/k8s-versions.yaml" | jq . > "${destination_directory}/aws.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/aws - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - cp aws.json /tmp/matrix.json - else - jq '{ "include": [ .include[] | select(.default) ] }' aws.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - # We use latest eksctl just to fetch recent supported versions. - # We don't use that eksctl to create cluster. - # Eksctl has hardcoded list of supported versions in the binary. - # This is hack until https://github.com/aws/containers-roadmap/issues/982 is resolved. - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.include[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - eksctl version -o json | jq -r '.EKSServerSupportedVersions[]' > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is supported" - else - echo "::notice::Removing version $VERSION as it's not supported" - jq 'del(.include[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.include | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 90 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=cluster.name=${{ env.clusterName }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --helm-set=bpf.monitorAggregation=none \ - --wait=false" - if [[ "${{ matrix.ipsec }}" == "true" ]]; then - CILIUM_INSTALL_DEFAULTS+=" --helm-set encryption.enabled=true --helm-set encryption.type=ipsec" - fi - - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target amazon.com." - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - binary-name: cilium-cli - binary-dir: ./ - - - name: Install kubectl - run: | - curl -sLO "https://dl.k8s.io/release/${{ env.kubectl_version }}/bin/linux/amd64/kubectl" - curl -sLO "https://dl.k8s.io/${{ env.kubectl_version }}/bin/linux/amd64/kubectl.sha256" - echo "$(cat kubectl.sha256) kubectl" | sha256sum --check - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - kubectl version --client - - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - aws-access-key-id: ${{ secrets.AWS_PR_SA_ID }} - aws-secret-access-key: ${{ secrets.AWS_PR_SA_KEY }} - aws-region: ${{ matrix.region }} - - - name: Create EKS cluster - uses: ./.github/actions/setup-eks-cluster - with: - cluster_name: ${{ env.clusterName }} - region: ${{ matrix.region }} - owner: "${{ steps.vars.outputs.owner }}" - version: ${{ matrix.version }} - spot: false - - - name: Create IPsec key - if: ${{ matrix.ipsec == true }} - shell: bash - run: | - KEYID=15 - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${KEYID} rfc4106(gcm(aes)) $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64) 128" - - # This is a workaround for flake #16938. - - name: Remove AWS-CNI - run: | - kubectl -n kube-system delete daemonset aws-node - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-aws-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Install Cilium - id: install-cilium - run: | - ./cilium-cli install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium to be ready - run: | - ./cilium-cli status --wait --wait-duration=10m - kubectl get pods -n kube-system - - - name: Check that AWS leftover iptables chains have been removed - run: | - for pod in $(kubectl get po -n kube-system -l app.kubernetes.io/name=cilium-agent -o name); do - echo "Checking ${pod}" - if kubectl exec -n kube-system ${pod} -c cilium-agent -- iptables-save | grep --silent ':AWS'; then - echo "Unexpected AWS leftover iptables chains" - kubectl exec -n kube-system ds/cilium -- iptables-save | grep ':AWS' - exit 1 - fi - done - - - name: Port forward Relay - run: | - ./cilium-cli hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - ./cilium-cli connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}) - 1.xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Setup conn-disrupt-test before rotating (${{ join(matrix.*, ', ') }}) - if: ${{ matrix.ipsec == true }} - uses: ./.github/actions/conn-disrupt-test-setup - - - name: Run IPsec key rotation tests (${{ join(matrix.*, ', ') }}) - if: ${{ matrix.ipsec == true }} - uses: ./.github/actions/ipsec-key-rotate - with: - key-algo: "gcm(aes)" - key-type-one: "" - key-type-two: "" - - - name: Check conn-disrupt-test after rotating (${{ join(matrix.*, ', ') }}) - if: ${{ matrix.ipsec == true }} - uses: ./.github/actions/conn-disrupt-test-check - with: - full-test: 'true' - extra-connectivity-test-flags: ${{ steps.vars.outputs.connectivity_test_defaults }} - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - ./cilium-cli status - ./cilium-cli sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.version }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.version }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() && needs.installation-and-connectivity.result != 'skipped' }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result != 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result == 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ github.event_name != 'schedule' && 'success' || 'failure' }} - description: 'Skipped' - - - cleanup: - name: Cleanup EKS Clusters - if: ${{ always() && needs.generate-matrix.outputs.empty == 'false' }} - continue-on-error: true - needs: [generate-matrix, installation-and-connectivity] - runs-on: ubuntu-latest - timeout-minutes: 30 - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - aws-access-key-id: ${{ secrets.AWS_PR_SA_ID }} - aws-secret-access-key: ${{ secrets.AWS_PR_SA_KEY }} - aws-region: ${{ matrix.region }} - - - name: Clean up EKS - run: | - eksctl delete cluster --name ${{ env.clusterName }} --region ${{ matrix.region }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently diff --git a/.github/workflows/conformance-externalworkloads.yaml b/.github/workflows/conformance-externalworkloads.yaml deleted file mode 100644 index e8a4ee9a98ee2..0000000000000 --- a/.github/workflows/conformance-externalworkloads.yaml +++ /dev/null @@ -1,440 +0,0 @@ -name: Conformance External Workloads (ci-external-workloads) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}-vm - vmName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}-vm - vmStartupScript: .github/gcp-vm-startup.sh - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - USE_GKE_GCLOUD_AUTH_PLUGIN: True - # renovate: datasource=docker depName=google/cloud-sdk - gcloud_version: 486.0.0 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - empty: ${{ steps.set-matrix.outputs.empty }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/gke" - destination_directory="/tmp/generated/gke" - mkdir -p "${destination_directory}" - - yq -o=json ${work_dir}/k8s-versions.yaml | jq . > "${destination_directory}/gke.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/gke - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - jq '{ "include": [ .k8s[] ] }' gke.json > /tmp/matrix.json - else - jq '{ "include": [ .k8s[] | select(.default) ] }' gke.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: ${{ secrets.GCP_PR_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PR_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.include[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - ZONE=$(echo $i | jq -r '.zone') - gcloud --quiet container get-server-config \ - --flatten="channels" --filter="channels.channel=REGULAR" \ - --format="yaml(channels.validVersions)" --zone $ZONE > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is valid for zone $ZONE" - else - echo "::notice::Removing version $VERSION as it's not valid for zone $ZONE" - jq 'del(.include[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.include | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 45 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.clusterName }} \ - --datapath-mode=tunnel \ - --helm-set kubeProxyReplacement=true" - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target google.com. --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8" - # Explicitly specify LoadBalancer service type since the default type is NodePort in Helm mode. - # Ref: https://github.com/cilium/cilium-cli/pull/1527#discussion_r1177244379 - # - # In Helm mode, externalWorkloads.enabled is set to false by default. You need to pass - # --enable-external-workloads flag to enable it. - # Ref: https://github.com/cilium/cilium/pull/25259 - CLUSTERMESH_ENABLE_DEFAULTS="--service-type LoadBalancer --enable-external-workloads" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo clustermesh_enable_defaults=${CLUSTERMESH_ENABLE_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: ${{ secrets.GCP_PR_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PR_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Install gke-gcloud-auth-plugin - run: | - gcloud components install gke-gcloud-auth-plugin - - - name: Display gcloud CLI info - run: | - gcloud info - - - name: Create GCP VM - uses: nick-invision/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 - with: - retry_on: error - timeout_minutes: 1 - max_attempts: 10 - command: | - gcloud compute instances create ${{ env.vmName }}-${{ matrix.vmIndex }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ matrix.zone }} \ - --machine-type e2-custom-2-4096 \ - --boot-disk-type pd-standard \ - --boot-disk-size 10GB \ - --image-project ubuntu-os-cloud \ - --image-family ubuntu-2004-lts \ - --metadata hostname=${{ env.vmName }}-${{ matrix.vmIndex }} \ - --metadata-from-file startup-script=${{ env.vmStartupScript}} - - - name: Create GKE cluster - run: | - gcloud container clusters create ${{ env.clusterName }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ matrix.zone }} \ - --cluster-version ${{ matrix.version }} \ - --enable-ip-alias \ - --node-taints node.cilium.io/agent-not-ready=true:NoExecute \ - --cluster-ipv4-cidr="/21" \ - --services-ipv4-cidr="/24" \ - --image-type COS_CONTAINERD \ - --num-nodes 2 \ - --machine-type e2-custom-2-4096 \ - --disk-type pd-standard \ - --disk-size 20GB - - - name: Get cluster credentials - run: | - gcloud container clusters get-credentials ${{ env.clusterName }} --zone ${{ matrix.zone }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium in cluster - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Enable cluster mesh - run: | - cilium clustermesh enable ${{ steps.vars.outputs.clustermesh_enable_defaults }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium clustermesh status --wait - - - name: Add VM to cluster mesh - run: | - cilium clustermesh vm create ${{ env.vmName }}-${{ matrix.vmIndex }} -n default --ipv4-alloc-cidr 10.192.1.0/30 - cilium clustermesh vm status - - - name: Install Cilium on VM - run: | - cilium clustermesh vm install install-external-workload.sh --config debug - gcloud compute scp install-external-workload.sh ${{ env.vmName }}-${{ matrix.vmIndex }}:~/ --zone ${{ matrix.zone }} - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "~/install-external-workload.sh" - sleep 5s - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "sudo cilium-dbg status" - - - name: Verify cluster DNS on VM - # Limit nslookup to the first (global) DNS server setting - run: | - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "nslookup -d2 -retry=10 -timeout=5 -norecurse clustermesh-apiserver.kube-system.svc.cluster.local \$(systemd-resolve --status | grep -m 1 \"Current DNS Server:\" | cut -d':' -f2)" - - - name: Ping clustermesh-apiserver from VM - run: | - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "ping -c 3 \$(sudo cilium-dbg service list get -o jsonpath='{[?(@.spec.flags.name==\"clustermesh-apiserver\")].spec.backend-addresses[0].ip}')" - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - kubectl get cew --all-namespaces -o wide - kubectl get cep --all-namespaces -o wide - cilium status - cilium clustermesh status - cilium clustermesh vm status - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} --command "sudo cilium status" - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} --command "sudo docker logs cilium --timestamps" - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Clean up GKE cluster and VM - if: ${{ always() }} - run: | - while [ "$(gcloud container operations list --zone ${{ matrix.zone }} --filter="status=RUNNING AND targetLink~${{ env.clusterName }}" --format="value(name)")" ];do - echo "cluster has an ongoing operation, waiting for all operations to finish"; sleep 15 - done - gcloud container clusters delete ${{ env.clusterName }} --zone ${{ matrix.zone }} --quiet --async - gcloud compute instances delete ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} --quiet - shell: bash {0} # Disable default fail-fast behavior so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.vmIndex }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.vmIndex }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() && needs.installation-and-connectivity.result != 'skipped' }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result != 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result == 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ github.event_name != 'schedule' && 'success' || 'failure' }} - description: 'Skipped' diff --git a/.github/workflows/conformance-gateway-api.yaml b/.github/workflows/conformance-gateway-api.yaml deleted file mode 100644 index 99742768268ba..0000000000000 --- a/.github/workflows/conformance-gateway-api.yaml +++ /dev/null @@ -1,312 +0,0 @@ -name: Conformance Gateway API (ci-gateway-api) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - v1.15 - - ft/v1.15/** - - 'renovate/v1.15-**' - paths-ignore: - - 'Documentation/**' - - 'test/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - kind_config: .github/kind-config.yaml - gateway_api_version: v1.0.0 - metallb_version: 0.12.1 - timeout: 5m - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - gateway-api-conformance-test: - name: Gateway API Conformance Test - runs-on: ubuntu-latest - timeout-minutes: 120 - strategy: - fail-fast: false - matrix: - include: - - crd-channel: experimental - conformance-profile: false - - crd-channel: standard - conformance-profile: false - - crd-channel: experimental - conformance-profile: true - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set image tag - id: vars - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - EXEMPT_FEATURES="GatewayPort8080,GatewayStaticAddresses,Mesh" - if [ ${{ matrix.crd-channel }} == "standard" ]; then - EXEMPT_FEATURES+=",HTTPRouteParentRefPort,HTTPRouteDestinationPortMatching,HTTPRouteRequestTimeout,HTTPRouteBackendTimeout" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=debug.verbose=envoy \ - --helm-set kubeProxyReplacement=true \ - --helm-set=gatewayAPI.enabled=true \ - --helm-set=l2announcements.enabled=true \ - --helm-set=devices='{eth0}'" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo skipped_tests=${SKIPPED_TESTS} >> $GITHUB_OUTPUT - echo exempt-features=${EXEMPT_FEATURES} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - examples - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.kind_config }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Gateway API CRDs - run: | - # Install Gateway CRDs - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gatewayclasses.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gateways.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_httproutes.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_referencegrants.yaml - ## TLSRoute is only available in experimental channel in v0.7.0 - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml - - # To make sure that Gateway API CRs are available - kubectl wait --for condition=Established crd/gatewayclasses.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/gateways.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/httproutes.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/tlsroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/grpcroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/referencegrants.gateway.networking.k8s.io --timeout=${{ env.timeout }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Install Cilium LB IPPool and L2 Announcement Policy - timeout-minutes: 10 - run: | - KIND_NET_CIDR=$(docker network inspect kind -f '{{json .IPAM.Config}}' | jq -r '.[] | select(.Subnet | test("^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+")) | .Subnet') - echo "KIND_NET_CIDR: $KIND_NET_CIDR" - LB_CIDR=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200/28@") - echo "LB_CIDR: $LB_CIDR" - - echo "Deploying LB-IPAM Pool..." - cat << EOF > pool.yaml - apiVersion: "cilium.io/v2alpha1" - kind: CiliumLoadBalancerIPPool - metadata: - name: "pool" - spec: - cidrs: - - cidr: "$LB_CIDR" - EOF - cat pool.yaml - kubectl apply -f pool.yaml - - echo "Deploying L2-Announcement Policy..." - cat << 'EOF' > l2policy.yaml - apiVersion: "cilium.io/v2alpha1" - kind: CiliumL2AnnouncementPolicy - metadata: - name: l2policy - spec: - loadBalancerIPs: true - interfaces: - - eth0 - nodeSelector: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: DoesNotExist - EOF - cat l2policy.yaml - kubectl apply -f l2policy.yaml - - - name: Run Gateway API conformance test - timeout-minutes: 30 - run: | - if [ ${{ matrix.conformance-profile }} == "true" ]; then - GATEWAY_API_CONFORMANCE_TESTS=1 go test \ - -p 4 \ - -v ./operator/pkg/gateway-api \ - --gateway-class cilium \ - --all-features \ - --exempt-features "${{ steps.vars.outputs.exempt-features }}" \ - --conformance-profiles HTTP,TLS \ - --organization cilium \ - --project cilium \ - --url github.com/cilium/cilium \ - --version main \ - --contact https://github.com/cilium/community/blob/main/roles/Maintainers.md \ - --report-output report.yaml \ - -test.run "TestExperimentalConformance" \ - -test.skip "${{ steps.vars.outputs.skipped_tests }}" - else - GATEWAY_API_CONFORMANCE_TESTS=1 go test \ - -p 4 \ - -v ./operator/pkg/gateway-api \ - --gateway-class cilium \ - --all-features \ - --exempt-features "${{ steps.vars.outputs.exempt-features }}" \ - -test.run "TestConformance" \ - -test.skip "${{ steps.vars.outputs.skipped_tests }}" - fi - - - name: Upload report artifacts - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: report-${{ matrix.conformance-profile }}-${{ matrix.crd-channel }}.yaml - path: operator/pkg/gateway-api/report.yaml - retention-days: 5 - if-no-files-found: ignore - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdump-out-${{ matrix.conformance-profile }}-${{ matrix.crd-channel }} - path: cilium-sysdump-out-*.zip - retention-days: 5 - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: gateway-api-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.gateway-api-conformance-test.result }} diff --git a/.github/workflows/conformance-ginkgo.yaml b/.github/workflows/conformance-ginkgo.yaml deleted file mode 100644 index ea0fa01724dec..0000000000000 --- a/.github/workflows/conformance-ginkgo.yaml +++ /dev/null @@ -1,513 +0,0 @@ -name: Conformance Ginkgo (ci-ginkgo) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - setup-vars: - name: Setup Vars - runs-on: ubuntu-latest - outputs: - SHA: ${{ steps.vars.outputs.SHA }} - context-ref: ${{ steps.vars.outputs.context-ref }} - owner: ${{ steps.vars.outputs.owner }} - steps: - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - CONTEXT_REF="${{ inputs.context-ref }}" - OWNER="${{ inputs.PR-number }}" - else - SHA="${{ github.sha }}" - CONTEXT_REF="${{ github.sha }}" - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - echo SHA=${SHA} >> $GITHUB_OUTPUT - echo context-ref=${CONTEXT_REF} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - # Pre-build the ginkgo binary so that we don't have to build it for all - # runners. - build-ginkgo-binary: - runs-on: ubuntu-latest - name: Build Ginkgo E2E - timeout-minutes: 30 - steps: - # If any of these steps are modified, please update the copy of these - # steps further down under the 'setup-and-test' jobs. - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.SHA || github.sha }} - persist-credentials: false - - # Load Ginkgo build from GitHub - - name: Load ginkgo E2E from GH cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-e2e-${{ hashFiles('**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - wait-for-images: - needs: setup-vars - runs-on: ubuntu-latest - name: Wait for images - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ needs.setup-vars.outputs.SHA }} &> /dev/null; do sleep 45s; done - done - - generate-matrix: - name: Generate Job Matrix from YAMLs - needs: setup-vars - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/ginkgo" - destination_directory="/tmp/generated/ginkgo" - mkdir -p "${destination_directory}" - for file in "${work_dir}"/main*.yaml; do - if [[ -f "$file" ]]; then - filename=$(basename "$file") - new_filename="${filename%.yaml}.json" - - yq -o=json "${file}" | jq . > "${destination_directory}/${new_filename}" - fi - done - - - name: Generate Matrix - id: set-matrix - run: | - if ${{ github.event_name == 'schedule' }}; then - k8s_versions_to_run='main-scheduled.json' - else - k8s_versions_to_run='main-prs.json' - fi - - # Generate a Matrix from all k8s versions defined in '${k8s_versions_to_run}' - # combined with 'main-focus.yaml'. - # Use 'main-k8s-versions.yaml' to - # retrieve which kernel versions should be used for which k8s version. - - dir="/tmp/generated/ginkgo" - cd ${dir} - jq --argjson prs "$(jq '.["k8s-version"]' ${k8s_versions_to_run})" \ - --argfile focus main-focus.json \ - '.include |= map(select(.["k8s-version"] as $k | $prs[] | select($k == .))) + $focus.include | - . + {"k8s-version": $prs} | - .focus = $focus.focus | .exclude = $focus.exclude' \ - main-k8s-versions.json> /tmp/merged.json - echo "Generated matrix:" - cat /tmp/merged.json - echo "matrix=$(jq -c . < /tmp/merged.json)" >> $GITHUB_OUTPUT - - setup-and-test: - needs: [setup-vars, build-ginkgo-binary, generate-matrix, wait-for-images] - runs-on: - group: ginkgo-runners - timeout-minutes: 35 - name: "E2E Test (${{ matrix.k8s-version }}, ${{matrix.focus}})" - env: - job_name: "E2E Test (${{ matrix.k8s-version }}, ${{matrix.focus}})" - strategy: - fail-fast: false - max-parallel: 60 - matrix: ${{ fromJSON(needs.generate-matrix.outputs.matrix) }} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.SHA || github.sha }} - persist-credentials: false - - - name: Install cilium-cli - shell: bash - run: | - cid=$(docker create quay.io/cilium/cilium-cli-ci:latest ls) - docker cp $cid:/usr/local/bin/cilium ./cilium-cli - docker rm $cid - - - name: Install helm - shell: bash - run: | - # renovate: datasource=github-releases depName=helm/helm - HELM_VERSION=v3.13.1 - wget "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" - tar -xf "helm-${HELM_VERSION}-linux-amd64.tar.gz" - mv ./linux-amd64/helm ./helm - - - name: Provision LVH VMs - id: provision-vh-vms - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - test-name: datapath-conformance - install-dependencies: true - image-version: ${{ matrix.kernel }} - host-mount: ./ - cpu: 4 - mem: 12G - cmd: | - git config --global --add safe.directory /host - mv /host/helm /usr/bin - mv /host/cilium-cli /usr/bin - - - name: Provision kind - timeout-minutes: 5 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - if [[ "${{ matrix.kernel }}" == 6.6-* ]]; then - ./contrib/scripts/kind.sh "" 2 "" "${{ matrix.kube-image }}" "none" "${{ matrix.ip-family }}" - kubectl label node kind-worker2 cilium.io/ci-node=kind-worker2 - # Avoid re-labeling this node by setting "node-role.kubernetes.io/controlplane" - kubectl label node kind-worker2 node-role.kubernetes.io/controlplane= - else - ./contrib/scripts/kind.sh "" 1 "" "${{ matrix.kube-image }}" "iptables" "${{ matrix.ip-family }}" - fi - # Some tests using demo-customcalls.yaml are mounting this directoy - mkdir -p /home/vagrant/go/src/github.com/cilium - ln -s /host /home/vagrant/go/src/github.com/cilium/cilium - git config --add safe.directory /cilium - - # Load Ginkgo build from GitHub - - name: Load ${{ matrix.name }} Ginkgo build from GitHub - uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-e2e-${{ hashFiles('**/*.go') }} - - # Re-build the tests if it was a cache miss. - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Copy Ginkgo binary - shell: bash - run: | - cd test/ - tar -xf /tmp/.ginkgo-build/test.tgz - - - name: Run tests - id: run-tests - timeout-minutes: 40 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/test/ - kubectl get ns -A -o wide - kubectl get pods -A -o wide - export K8S_NODES=2 - export NETNEXT=0 - if [[ "${{ matrix.kernel }}" == 6.6-* ]]; then - export KERNEL=net-next - export NETNEXT=1 - export KUBEPROXY=0 - export K8S_NODES=3 - export NO_CILIUM_ON_NODES=kind-worker2 - elif [[ "${{ matrix.kernel }}" == 4.19-* ]]; then - export KERNEL=419 - elif [[ "${{ matrix.kernel }}" == 5.4-* ]]; then - export KERNEL=54 - fi - export K8S_VERSION=${{ matrix.k8s-version }} - export CNI_INTEGRATION=kind - export INTEGRATION_TESTS=true - # GitHub actions do not support IPv6 connectivity to outside - # world. - export CILIUM_NO_IPV6_OUTSIDE=true - echo "/root/go/bin/ginkgo \ - --focus=\"${{ matrix.cliFocus }}\" \ - --skip=\"${{ matrix.cliSkip }}\" \ - --seed=1679952881 \ - -v -- \ - -cilium.provision=false \ - -cilium.image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - -cilium.tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.operator-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - -cilium.operator-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.hubble-relay-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - -cilium.hubble-relay-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.kubeconfig=/root/.kube/config \ - -cilium.provision-k8s=false \ - -cilium.operator-suffix=-ci" - - ./test.test \ - --ginkgo.focus="${{ matrix.cliFocus }}" \ - --ginkgo.skip="${{ matrix.cliSkip }}" \ - --ginkgo.seed=1679952881 \ - --ginkgo.v -- \ - -cilium.provision=false \ - -cilium.image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - -cilium.tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.operator-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - -cilium.operator-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.hubble-relay-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - -cilium.hubble-relay-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.kubeconfig=/root/.kube/config \ - -cilium.provision-k8s=false \ - -cilium.operator-suffix=-ci - - - name: Fetch artifacts - if: ${{ !success() && steps.provision-vh-vms.outcome == 'success' }} - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host - kubectl get pods --all-namespaces -o wide - tar -zcf "test_results-${{ env.job_name }}.tar.gz" /host/test/test_results - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.k8s-version }}-${{matrix.focus}} - path: | - cilium-sysdump-*.zip - bugtool-*.tar.gz - test_results-*.tar.gz - - - name: Fetch JUnits - if: ${{ always() && steps.run-tests.outcome != 'skipped' }} - shell: bash - run: | - mkdir -p cilium-junits - cd test/ - junit_filename="${{ env.job_name }}.xml" - for filename in *.xml; do cp "${filename}" "../cilium-junits/${junit_filename}"; done; - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.k8s-version }}-${{matrix.focus}} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Determine final commit status - id: commit-status - shell: bash - run: | - # When one of the prerequisites of setup-and-test fails, then that - # job gets skipped. Let's convert the status so that we correctly - # report that as a proper failure. - if [ "${{ needs.setup-and-test.result }}" != "skipped" ]; then - echo "status=${{ needs.setup-and-test.result }}" >> $GITHUB_OUTPUT - else - echo "status=failure" >> $GITHUB_OUTPUT - fi - - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ steps.commit-status.outputs.status }} diff --git a/.github/workflows/conformance-gke.yaml b/.github/workflows/conformance-gke.yaml deleted file mode 100644 index acbe31b3d7a3d..0000000000000 --- a/.github/workflows/conformance-gke.yaml +++ /dev/null @@ -1,400 +0,0 @@ -name: Conformance GKE (ci-gke) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - # To be able to request the JWT from GitHub's OIDC provider - id-token: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - USE_GKE_GCLOUD_AUTH_PLUGIN: True - # renovate: datasource=docker depName=google/cloud-sdk - gcloud_version: 486.0.0 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - empty: ${{ steps.set-matrix.outputs.empty }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/gke" - destination_directory="/tmp/generated/gke" - mkdir -p "${destination_directory}" - - ls ${work_dir}/*.yaml | grep -v 'schema\|classic' | while read file;do - filename=$(basename "$file") - new_filename="${filename%.yaml}.json" - yq -o=json "${file}" | jq . > "${destination_directory}/${new_filename}" - done - - # Merge 2 files into one - jq -s "add" ${destination_directory}/*.json > "${destination_directory}/gke.json" - - - name: Generate Matrix - run: | - cd /tmp/generated/gke - - # Use complete matrix in case of scheduled run - # main -> event_name = schedule - # other stable branches -> PR-number starting with v (e.g. v1.14) - if [[ "${{ github.event_name }}" == "schedule" || "${{ inputs.PR-number }}" == v* ]];then - cp gke.json /tmp/matrix.json - else - jq '{ "k8s": [ .k8s[] | select(.default) ], "config": .config}' gke.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: ${{ secrets.GCP_PR_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PR_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Filter Matrix - id: set-matrix - run: | - cp /tmp/matrix.json /tmp/result.json - jq -c '.k8s[]' /tmp/matrix.json | while read i; do - VERSION=$(echo $i | jq -r '.version') - ZONE=$(echo $i | jq -r '.zone') - gcloud --quiet container get-server-config \ - --flatten="channels" --filter="channels.channel=REGULAR" \ - --format="yaml(channels.validVersions)" --zone $ZONE > /tmp/output - if grep -q -F $VERSION /tmp/output; then - echo "Version $VERSION is valid for zone $ZONE" - else - echo "::notice::Removing version $VERSION as it's not valid for zone $ZONE" - jq 'del(.k8s[] | select(.version == "'$VERSION'"))' /tmp/result.json > /tmp/result.json.tmp - mv /tmp/result.json.tmp /tmp/result.json - fi - done - echo "Filtered matrix:" - cat /tmp/result.json - - echo "matrix=$(jq -c . < /tmp/result.json)" >> $GITHUB_OUTPUT - echo "empty=$(jq '(.k8s | length) == 0' /tmp/result.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - if: ${{ needs.generate-matrix.outputs.empty == 'false' }} - runs-on: ubuntu-latest - timeout-minutes: 75 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=cluster.name=${{ env.clusterName }}-${{ matrix.config.index }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=agentNotReadyTaintKey=ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --wait=false" - - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target google.com. --external-cidr 8.0.0.0/8 --external-ip 8.8.8.8 --external-other-ip 8.8.4.4" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo hubble_enable_defaults=${HUBBLE_ENABLE_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - workload_identity_provider: ${{ secrets.GCP_PR_WORKLOAD_IDENTITY_PROVIDER }} - service_account: ${{ secrets.GCP_PR_SA }} - create_credentials_file: true - export_environment_variables: true - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: ${{ env.gcloud_version }} - - - name: Install gke-gcloud-auth-plugin - run: | - gcloud components install gke-gcloud-auth-plugin - - - name: Display gcloud CLI info - run: | - gcloud info - - - name: Create GKE cluster - run: | - gcloud container clusters create ${{ env.clusterName }}-${{ matrix.config.index }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ matrix.k8s.zone }} \ - --cluster-version ${{ matrix.k8s.version }} \ - --enable-ip-alias \ - --create-subnetwork="range=/26" \ - --cluster-ipv4-cidr="/21" \ - --services-ipv4-cidr="/24" \ - --image-type COS_CONTAINERD \ - --num-nodes ${{ matrix.config.nodes || 2 }} \ - --machine-type e2-custom-2-4096 \ - --disk-type pd-standard \ - --disk-size 20GB \ - --node-taints ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready=true:NoExecute - - - name: Get cluster credentials - run: | - gcloud container clusters get-credentials ${{ env.clusterName }}-${{ matrix.config.index }} --zone ${{ matrix.k8s.zone }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Create custom IPsec secret - if: ${{ matrix.config.type == 'ipsec' || matrix.config.type == 'tunnel-ipsec' }} - run: | - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="15 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} ${{ matrix.config.cilium-install-opts }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait --wait-duration=10m - kubectl get pods -n kube-system - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ matrix.k8s.version }}, ${{ matrix.config.index }}, ${{ matrix.config.type }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.k8s.*, ', ') }}, ${{ join(matrix.config.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ matrix.k8s.version }}, ${{ matrix.config.index }}, ${{ matrix.config.type }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ matrix.k8s.version }}-${{ matrix.config.index }}-${{ matrix.config.type }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Clean up GKE - if: ${{ always() }} - run: | - while [ "$(gcloud container operations list --zone ${{ matrix.k8s.zone }} --filter="status=RUNNING AND targetLink~${{ env.clusterName }}-${{ matrix.config.index }}" --format="value(name)")" ];do - echo "cluster has an ongoing operation, waiting for all operations to finish"; sleep 15 - done - gcloud container clusters delete ${{ env.clusterName }}-${{ matrix.config.index }} --zone ${{ matrix.k8s.zone }} --quiet --async - shell: bash {0} # Disable default fail-fast behavior so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.config.index }}-${{ matrix.k8s.vmIndex }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.config.index }}-${{ matrix.k8s.vmIndex }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() && needs.installation-and-connectivity.result != 'skipped' }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: installation-and-connectivity - steps: - - name: Merge Sysdumps - if: ${{ needs.installation-and-connectivity.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result != 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - name: Set final commit status - if: ${{ needs.installation-and-connectivity.result == 'skipped' }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ github.event_name != 'schedule' && 'success' || 'failure' }} - description: 'Skipped' diff --git a/.github/workflows/conformance-ingress.yaml b/.github/workflows/conformance-ingress.yaml deleted file mode 100644 index 2e1c546268d82..0000000000000 --- a/.github/workflows/conformance-ingress.yaml +++ /dev/null @@ -1,332 +0,0 @@ -name: Conformance Ingress (ci-ingress) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - v1.15 - - ft/v1.15/** - - 'renovate/v1.15-**' - paths-ignore: - - 'Documentation/**' - - 'test/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - kind_config: .github/kind-config.yaml - metallb_version: 0.12.1 - timeout: 5m - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - ingress-conformance-test: - name: Ingress Conformance Test - runs-on: ubuntu-latest - timeout-minutes: 120 - strategy: - fail-fast: false - matrix: - include: - - name: Without XDP - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: disabled - loadbalancer-mode: dedicated - default-ingress-controller: false - - name: With XDP - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: native - loadbalancer-mode: dedicated - default-ingress-controller: false - - name: With Shared LB - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: disabled - loadbalancer-mode: shared - default-ingress-controller: false - - name: With Default Ingress Controller - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: disabled - loadbalancer-mode: dedicated - default-ingress-controller: true - - name: Without KPR - kube-proxy-replacement: false - enable-node-port: true - bpf-lb-acceleration: disabled - loadbalancer-mode: dedicated - default-ingress-controller: false - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set image tag - id: vars - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=debug.verbose=envoy \ - --helm-set kubeProxyReplacement=${{ matrix.kube-proxy-replacement }} \ - --helm-set nodePort.enabled=${{ matrix.enable-node-port }} \ - --helm-set=ingressController.enabled=true \ - --helm-set=ingressController.loadbalancerMode=${{ matrix.loadbalancer-mode }} \ - --helm-set=ingressController.default=${{ matrix.default-ingress-controller }} \ - --helm-set=extraConfig.bpf-lb-acceleration=${{ matrix.bpf-lb-acceleration }} \ - --helm-set=l2announcements.enabled=true \ - --helm-set=devices='{eth0}'" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - examples - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.kind_config }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Checkout ingress-controller-conformance - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # Use the forked repo with retry mechanism - # Please refer to https://github.com/kubernetes-sigs/ingress-controller-conformance/pull/101 for more details. - repository: cilium/ingress-controller-conformance - path: ingress-controller-conformance - ref: 6a193b3f73d8b1201a818bb7c8f204059b064857 - persist-credentials: false - - - name: Install Ingress conformance test tool - timeout-minutes: 10 - run: | - cd ingress-controller-conformance - make build - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait - kubectl get pods -n kube-system - - - name: Install Cilium LB IPPool and L2 Announcement Policy - timeout-minutes: 10 - run: | - KIND_NET_CIDR=$(docker network inspect kind -f '{{json .IPAM.Config}}' | jq -r '.[] | select(.Subnet | test("^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+")) | .Subnet') - echo "KIND_NET_CIDR: $KIND_NET_CIDR" - LB_CIDR=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200/28@") - echo "LB_CIDR: $LB_CIDR" - echo "Deploying LB-IPAM Pool..." - cat << EOF > pool.yaml - apiVersion: "cilium.io/v2alpha1" - kind: CiliumLoadBalancerIPPool - metadata: - name: "pool" - spec: - cidrs: - - cidr: "$LB_CIDR" - EOF - cat pool.yaml - kubectl apply -f pool.yaml - - echo "Deploying L2-Announcement Policy..." - cat << 'EOF' > l2policy.yaml - apiVersion: "cilium.io/v2alpha1" - kind: CiliumL2AnnouncementPolicy - metadata: - name: l2policy - spec: - loadBalancerIPs: true - interfaces: - - eth0 - nodeSelector: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: DoesNotExist - EOF - cat l2policy.yaml - kubectl apply -f l2policy.yaml - - - name: Create sample workload - timeout-minutes: 5 - run: | - kubectl apply -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml - if [ ${{ matrix.default-ingress-controller }} = "true" ]; then - # remove ingressClassName line from basic-ingress.yaml - sed -i '/ingressClassName/d' untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl apply -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }} - fi - - kubectl apply -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }} - - - name: Run Sanity check (external) - timeout-minutes: 5 - run: | - lb=$(kubectl get ingress basic-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --retry-all-errors --retry-delay 5 --fail -- http://"$lb" - - # By now the service should be up, no need to do the manual retries for the second request - curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail -- http://"$lb"/details/1 - - - name: Run Sanity check (internal to NodePort) - if: ${{ matrix.kube-proxy-replacement == 'true' }} - timeout-minutes: 5 - run: | - if [ ${{ matrix.loadbalancer-mode }} = "dedicated" ]; then - node_port=$(kubectl get svc cilium-ingress-basic-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}') - else - node_port=$(kubectl get -n kube-system svc cilium-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}') - fi - docker exec -i chart-testing-control-plane curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail http://localhost:$node_port/details/1 - - - name: Cleanup Sanity check - timeout-minutes: 5 - run: | - # Clean up after sanity check to avoid any conflicts with the conformance test - kubectl delete -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl delete -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml - kubectl wait ingress basic-ingress --for=delete - - - name: Run Ingress conformance test - timeout-minutes: 30 - run: | - cd ingress-controller-conformance - ./ingress-controller-conformance -ingress-class cilium -wait-time-for-ingress-status 60s -wait-time-for-ready 60s -http-client-timeout 60s - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdump-out-${{ matrix.name }} - path: cilium-sysdump-out-*.zip - retention-days: 5 - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: ingress-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.ingress-conformance-test.result }} diff --git a/.github/workflows/conformance-ipsec-e2e.yaml b/.github/workflows/conformance-ipsec-e2e.yaml deleted file mode 100644 index b9c30d2584153..0000000000000 --- a/.github/workflows/conformance-ipsec-e2e.yaml +++ /dev/null @@ -1,426 +0,0 @@ -name: Conformance IPsec E2E (ci-ipsec-e2e) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - name: 'Setup & Test' - runs-on: ubuntu-latest-4cores-16gb - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - include: - # See https://github.com/cilium/cilium/issues/20606 for configuration table - - - name: '1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '4.19-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - encryption: 'ipsec' - encryption-node: 'false' - key-one: 'gcm(aes)' - key-two: 'cbc(aes)' - key-type-one: '+' - key-type-two: '+' - - - name: '2' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - key-one: 'cbc(aes)' - key-two: 'cbc(aes)' - key-type-one: '+' - key-type-two: '' - - - name: '3' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - endpoint-routes: 'true' - key-one: 'gcm(aes)' - key-two: 'gcm(aes)' - key-type-one: '' - key-type-two: '+' - - - name: '4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.6-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'geneve' - encryption: 'ipsec' - encryption-node: 'false' - endpoint-routes: 'true' - key-one: 'cbc(aes)' - key-two: 'gcm(aes)' - key-type-one: '' - key-type-two: '' - - - name: '5' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - devices: 'eth0' - key-one: 'cbc(aes)' - key-two: 'cbc(aes)' - key-type-one: '+' - key-type-two: '+' - - - name: '6' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - endpoint-routes: 'true' - devices: 'eth0' - key-one: 'gcm(aes)' - key-two: 'gcm(aes)' - key-type-one: '+' - key-type-two: '+' - - timeout-minutes: 75 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - - - name: Derive Cilium installation config and junit type - id: cilium-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './untrusted/install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - ingress-controller: ${{ matrix.ingress-controller }} - misc: ${{ matrix.misc }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - binary-name: cilium-cli - binary-dir: ./ - - - name: Set Kind params - id: kind-params - shell: bash - run: | - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - echo params="--xdp --secondary-network \"\" 3 \"\" \"\" ${{ matrix.kube-proxy }} $IP_FAM" >> $GITHUB_OUTPUT - - - name: Provision K8s on LVH VM - uses: ./.github/actions/lvh-kind - with: - test-name: e2e-conformance - kernel: ${{ matrix.kernel }} - kind-params: "${{ steps.kind-params.outputs.params }}" - kind-image: ${{ env.KIND_K8S_IMAGE }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - shell: bash - run: | - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - - if [[ "${{ matrix.key-one }}" == "gcm(aes)" ]]; then - key="rfc4106(gcm(aes)) $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64) 128" - elif [[ "${{ matrix.key-one }}" == "cbc(aes)" ]]; then - key="hmac(sha256) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64) cbc(aes) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)" - else - echo "Invalid key type"; exit 1 - fi - kubectl create -n kube-system secret generic cilium-ipsec-keys \ - --from-literal=keys="3${{ matrix.key-type-one }} ${key}" - - export CILIUM_CLI_MODE=helm - ./cilium-cli install ${{ steps.cilium-config.outputs.config }} - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-server --timeout=300s - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-agent --timeout=300s - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status - - - name: Prepare the bpftrace parameters - id: bpftrace-params - run: | - CILIUM_INTERNAL_IPS=$(kubectl get ciliumnode -o jsonpath='{.items[*].spec.addresses[?(@.type=="CiliumInternalIP")].ip}') - if [[ "${{ matrix.ipv6 }}" == "false" ]]; then - CILIUM_INTERNAL_IPS="${CILIUM_INTERNAL_IPS// / ::1 } ::1" - fi - - echo "params=$CILIUM_INTERNAL_IPS" >> $GITHUB_OUTPUT - - - name: Start unencrypted packets check - uses: ./.github/actions/bpftrace/start - with: - script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt - args: ${{ steps.bpftrace-params.outputs.params }} "true" - - - name: Run tests (${{ join(matrix.*, ', ') }}) - shell: bash - run: | - mkdir -p cilium-junits - - ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \ - --flush-ct - - - name: Assert that no unencrypted packets are leaked - uses: ./.github/actions/bpftrace/check - - - name: Start unencrypted packets check for key rotation - uses: ./.github/actions/bpftrace/start - with: - script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt - # As we are not testing with proxy connections during key rotation, - # disable the check for proxy traffic. - args: ${{ steps.bpftrace-params.outputs.params }} "false" - - - name: Setup conn-disrupt-test before rotating (${{ join(matrix.*, ', ') }}) - uses: ./.github/actions/conn-disrupt-test-setup - - - name: Rotate IPsec Key (${{ join(matrix.*, ', ') }}) - uses: ./.github/actions/ipsec-key-rotate - with: - key-algo: ${{ matrix.key-two }} - key-type-one: ${{ matrix.key-type-one }} - key-type-two: ${{ matrix.key-type-two }} - - - name: Assert that no unencrypted packets are leaked during key rotation - uses: ./.github/actions/bpftrace/check - - - name: Check conn-disrupt-test after rotating (${{ join(matrix.*, ', ') }}) - uses: ./.github/actions/conn-disrupt-test-check - - - name: Start unencrypted packets check for tests - uses: ./.github/actions/bpftrace/start - with: - script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt - args: ${{ steps.bpftrace-params.outputs.params }} "true" - - - name: Run tests (${{ join(matrix.*, ', ') }}) - shell: bash - run: | - mkdir -p cilium-junits - - TEST="" - if [ "${{ matrix.key-one }}" = "gcm(aes)" ] && [ "${{ matrix.key-two }}" = "cbc(aes)" ]; then - # Until https://github.com/cilium/cilium/issues/29480 is resolved - TEST='--test "!pod-to-pod-no-frag"' - fi - - ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \ - --flush-ct $TEST - - - name: Assert that no unencrypted packets are leaked during tests - uses: ./.github/actions/bpftrace/check - - - name: Fetch artifacts - if: ${{ !success() }} - shell: bash - run: | - kubectl get pods --all-namespaces -o wide - ./cilium-cli status - mkdir -p cilium-sysdumps - ./cilium-cli sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.name }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.name }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/conformance-k8s-kind-network-policies.yaml b/.github/workflows/conformance-k8s-kind-network-policies.yaml deleted file mode 100644 index 8d8b372c0d7bc..0000000000000 --- a/.github/workflows/conformance-k8s-kind-network-policies.yaml +++ /dev/null @@ -1,241 +0,0 @@ -name: Conformance K8s Upstream Network - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - paths-ignore: - - 'Documentation/**' - - 'test/**' - push: - branches: - - v1.15 - - ft/v1.15/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - cluster_name: cilium-testing - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - -jobs: - kubernetes-e2e-net-conformance: - name: Installation and Conformance Test - runs-on: ubuntu-latest - timeout-minutes: 45 - strategy: - fail-fast: false - matrix: - # TODO add "dual" and "ipv6", "ipv6" fails to install cilium - ipFamily: ["ipv4"] - env: - IP_FAMILY: ${{ matrix.ipFamily }} - - steps: - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Enable ipv4 and ipv6 forwarding - run: | - sudo sysctl -w net.ipv6.conf.all.forwarding=1 - sudo sysctl -w net.ipv4.ip_forward=1 - - - name: Set up environment (download Kubernetes dependencies) - run: | - TMP_DIR=$(mktemp -d) - # Test binaries - curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/kubernetes-test-linux-amd64.tar.gz -o ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz - tar xvzf ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz \ - --directory ${TMP_DIR} \ - --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test - # kubectl - curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/bin/linux/amd64/kubectl -o ${TMP_DIR}/kubectl - # kind - curl -Lo ${TMP_DIR}/kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 - # Install - sudo cp ${TMP_DIR}/ginkgo /usr/local/bin/ginkgo - sudo cp ${TMP_DIR}/e2e.test /usr/local/bin/e2e.test - sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl - sudo cp ${TMP_DIR}/kind /usr/local/bin/kind - sudo chmod +x /usr/local/bin/* - sudo rm -rf ${TMP_DIR} - - - name: Create multi node cluster - run: | - cat <> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install --wait ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Run Kubernetes sig-network conformance test - run: | - # output_dir - mkdir -p _artifacts - - # get kubeconfig to pass to the e2e binary - kind get kubeconfig --name ${{ env.cluster_name }} > _artifacts/kubeconfig.conf - - # Kubernetes e2e tests use ginkgo and tags to select the tests that should run based on two regex, focus and skip: - # Focus tests: - # \[Conformance\]|\[sig-network\]: Conformance tests are defined by the project to guarantee a consistent behaviour and some mandatory features on all clusters - # sig-network tests are defined by sig-networkto guarantee a consistent behaviour on all the the k8s network implementations - # Skipped tests: - # Disruptive|Serial : require to run in serial and perform disruptive operations on clusters (reboots, ...) - # Federation|PerformanceDNS : unrelated sig-network tests - # Feature : skip features that are not GA, however, some of them should be enabled, per example [Feature:ProxyTerminatingEndpoints] - # DualStack : only with dualstack clusters - # KubeProxy|kube-proxy : kube-proxy specifics - # LoadBalancer|GCE|ExternalIP : require a cloud provider, some of them are GCE specifics - # Aggregator : Flaky, https://github.com/cilium/cilium/issues/24622. - # same.port.number.but.different.protocols|HostPort|should.serve.endpoints.on.same.port.and.different.protocols : #9207 - # rejected : Kubernetes expect Services without endpoints associated to REJECT the connection to notify the client, Cilium silently drops the packet - # externalTrafficPolicy : needs investigation - - # Run tests - export KUBERNETES_CONFORMANCE_TEST='y' - export E2E_REPORT_DIR=${PWD}/_artifacts - /usr/local/bin/ginkgo --nodes=5 \ - --focus="(HostPort.*\[Conformance\].*|Services.*\[Conformance\].*|Net.*ol.*)" \ - --skip="(Legacy|HostPort.validates.that.there.is.no.conflict.between.pods.with.same.hostPort.but.different.hostIP.and.protocol|should.allow.egress.access.to.server.in.CIDR.block|should.enforce.except.clause.while.egress.access.to.server.in.CIDR.block|should.ensure.an.IP.overlapping.both.IPBlock.CIDR.and.IPBlock.Except.is.allowed|Feature:SCTPConnectivity|should.serve.endpoints.on.same.port.and.different.protocols)" \ - /usr/local/bin/e2e.test \ - -- \ - --kubeconfig=${PWD}/_artifacts/kubeconfig.conf \ - --provider=local \ - --dump-logs-on-failure=true \ - --report-dir=${E2E_REPORT_DIR} \ - --disable-log-dump=true - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final - /usr/local/bin/kind export logs --name ${{ env.cluster_name }} --loglevel=debug ./_artifacts/logs - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload cluster logs - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: kind-logs - path: ./_artifacts/logs - retention-days: 5 - - - name: Upload Kubernetes e2e Junit Reports - if: ${{ success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4 - with: - name: kubernetes-e2e-junit - path: './_artifacts/*.xml' - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "_artifacts" diff --git a/.github/workflows/conformance-k8s-kind.yaml b/.github/workflows/conformance-k8s-kind.yaml deleted file mode 100644 index 88cdfa3f49332..0000000000000 --- a/.github/workflows/conformance-k8s-kind.yaml +++ /dev/null @@ -1,241 +0,0 @@ -name: Conformance K8s Kind - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - paths-ignore: - - 'Documentation/**' - - 'test/**' - push: - branches: - - v1.15 - - ft/v1.15/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - cluster_name: cilium-testing - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - -jobs: - kubernetes-e2e: - name: Installation and Conformance Test - runs-on: ubuntu-latest - timeout-minutes: 45 - strategy: - fail-fast: false - matrix: - # TODO add "dual" and "ipv6", "ipv6" fails to install cilium - ipFamily: ["ipv4"] - env: - IP_FAMILY: ${{ matrix.ipFamily }} - - steps: - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Enable ipv4 and ipv6 forwarding - run: | - sudo sysctl -w net.ipv6.conf.all.forwarding=1 - sudo sysctl -w net.ipv4.ip_forward=1 - - - name: Set up environment (download Kubernetes dependencies) - run: | - TMP_DIR=$(mktemp -d) - # Test binaries - curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/kubernetes-test-linux-amd64.tar.gz -o ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz - tar xvzf ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz \ - --directory ${TMP_DIR} \ - --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test - # kubectl - curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/bin/linux/amd64/kubectl -o ${TMP_DIR}/kubectl - # kind - curl -Lo ${TMP_DIR}/kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 - # Install - sudo cp ${TMP_DIR}/ginkgo /usr/local/bin/ginkgo - sudo cp ${TMP_DIR}/e2e.test /usr/local/bin/e2e.test - sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl - sudo cp ${TMP_DIR}/kind /usr/local/bin/kind - sudo chmod +x /usr/local/bin/* - sudo rm -rf ${TMP_DIR} - - - name: Create multi node cluster - run: | - cat <> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install --wait ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Run Kubernetes sig-network conformance test - run: | - # output_dir - mkdir -p _artifacts - - # get kubeconfig to pass to the e2e binary - kind get kubeconfig --name ${{ env.cluster_name }} > _artifacts/kubeconfig.conf - - # Kubernetes e2e tests use ginkgo and tags to select the tests that should run based on two regex, focus and skip: - # Focus tests: - # \[Conformance\]|\[sig-network\]: Conformance tests are defined by the project to guarantee a consistent behaviour and some mandatory features on all clusters - # sig-network tests are defined by sig-networkto guarantee a consistent behaviour on all the the k8s network implementations - # Skipped tests: - # Disruptive|Serial : require to run in serial and perform disruptive operations on clusters (reboots, ...) - # Federation|PerformanceDNS : unrelated sig-network tests - # Feature : skip features that are not GA, however, some of them should be enabled, per example [Feature:ProxyTerminatingEndpoints] - # DualStack : only with dualstack clusters - # KubeProxy|kube-proxy : kube-proxy specifics - # LoadBalancer|GCE|ExternalIP : require a cloud provider, some of them are GCE specifics - # Netpol|NetworkPolicy : network policies, demand significant resources and use to be slow, better to run in a different job - # Aggregator : Flaky, https://github.com/cilium/cilium/issues/24622. - # same.port.number.but.different.protocols|HostPort|should.serve.endpoints.on.same.port.and.different.protocols : #9207 - # rejected : Kubernetes expect Services without endpoints associated to REJECT the connection to notify the client, Cilium silently drops the packet - # externalTrafficPolicy : needs investigation - - # Run tests - export KUBERNETES_CONFORMANCE_TEST='y' - export E2E_REPORT_DIR=${PWD}/_artifacts - /usr/local/bin/ginkgo --nodes=25 \ - --focus="\[Conformance\]|\[sig-network\]" \ - --skip="Feature|Federation|PerformanceDNS|DualStack|Disruptive|Serial|KubeProxy|kube-proxy|ExternalIP|LoadBalancer|GCE|Netpol|NetworkPolicy|Aggregator|rejected|externalTrafficPolicy|HostPort|same.port.number.but.different.protocols|should.serve.endpoints.on.same.port.and.different.protocols" \ - /usr/local/bin/e2e.test \ - -- \ - --kubeconfig=${PWD}/_artifacts/kubeconfig.conf \ - --provider=local \ - --dump-logs-on-failure=true \ - --report-dir=${E2E_REPORT_DIR} \ - --disable-log-dump=true - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final - /usr/local/bin/kind export logs --name ${{ env.cluster_name }} --loglevel=debug ./_artifacts/logs - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload cluster logs - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: kind-logs - path: ./_artifacts/logs - retention-days: 5 - - - name: Upload Kubernetes e2e Junit Reports [junit] - if: ${{ success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4 - with: - name: kubernetes-e2e-junit - path: './_artifacts/*.xml' - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "_artifacts" diff --git a/.github/workflows/conformance-k8s-network-policies.yaml b/.github/workflows/conformance-k8s-network-policies.yaml deleted file mode 100644 index d9a00986d10e6..0000000000000 --- a/.github/workflows/conformance-k8s-network-policies.yaml +++ /dev/null @@ -1,151 +0,0 @@ -name: Cyclonus Network Policy Test - -on: - push: - branches: - - v1.15 - - ft/v1.15/** - paths-ignore: - - 'Documentation/**' - -permissions: read-all - -env: - cilium_cli_ci_version: - KIND_CONFIG: .github/kind-config.yaml - CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check.yaml - TIMEOUT: 2m - LOG_TIME: 30m - -jobs: - preflight-clusterrole: - name: Preflight Clusterrole Check - runs-on: ubuntu-latest - steps: - - name: Checout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Check pre-flight clusterrole - run: | - cd install/kubernetes/cilium/templates - echo "Checking for differences between preflight and agent clusterrole" - diff \ - -I '^[ ]\{2\}name: cilium.*' \ - -I '^Keep file in sync with.*' \ - -I '^ {{- with .Values.annotations }}$' \ - -I '^ {{- with .Values.preflight.annotations }}$' \ - -I '{{- if.*' \ - cilium-agent/clusterrole.yaml \ - cilium-preflight/clusterrole.yaml - - cyclonus-test: - name: Cyclonus Test - runs-on: ubuntu-latest - steps: - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Precheck generated connectivity manifest files - run: | - make -C examples/kubernetes/connectivity-check fmt - make -C examples/kubernetes/connectivity-check all - test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) - - - name: Set image tag - id: vars - run: | - if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then - echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT - else - echo tag=${{ github.sha }} >> $GITHUB_OUTPUT - fi - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator-generic-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.KIND_CONFIG }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Install cilium chart - id: install-cilium - run: | - helm install cilium ./install/kubernetes/cilium \ - --wait \ - --namespace kube-system \ - --set nodeinit.enabled=true \ - --set kubeProxyReplacement=false \ - --set socketLB.enabled=false \ - --set externalIPs.enabled=true \ - --set nodePort.enabled=true \ - --set hostPort.enabled=true \ - --set bpf.masquerade=false \ - --set ipam.mode=kubernetes \ - --set image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - --set image.tag=${{ steps.vars.outputs.tag }} \ - --set image.pullPolicy=IfNotPresent \ - --set image.useDigest=false \ - --set operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - --set operator.image.suffix=-ci \ - --set operator.image.tag=${{ steps.vars.outputs.tag }} \ - --set operator.image.pullPolicy=IfNotPresent \ - --set operator.image.useDigest=false \ - --set prometheus.enabled=true \ - --set operator.prometheus.enabled=true \ - --set hubble.enabled=true \ - --set hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}" - - kubectl wait -n kube-system --for=condition=Ready -l app.kubernetes.io/part-of=cilium pod --timeout=5m - kubectl rollout -n kube-system status deploy/coredns --timeout=5m - - # To make sure that cilium CRD is available (default timeout is 5m) - # https://github.com/cilium/cilium/blob/v1.15/operator/crd.go#L34 - kubectl wait --for condition=Established crd/ciliumnetworkpolicies.cilium.io --timeout=5m - - - name: Run cyclonus network policy test - working-directory: test/k8s/manifests/netpol-cyclonus - run: ./test-cyclonus.sh - - - name: Install Cilium CLI - if: ${{ failure() }} - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Report cluster failure status and capture cilium-sysdump - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - - - name: Upload cilium-sysdump - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - if: ${{ failure() }} - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip diff --git a/.github/workflows/conformance-kind-proxy-daemonset.yaml b/.github/workflows/conformance-kind-proxy-daemonset.yaml deleted file mode 100644 index 74189f61aaa93..0000000000000 --- a/.github/workflows/conformance-kind-proxy-daemonset.yaml +++ /dev/null @@ -1,152 +0,0 @@ -name: Conformance Kind Envoy DaemonSet - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - paths-ignore: - - 'Documentation/**' - - 'test/**' - push: - branches: - - v1.15 - - ft/v1.15/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - kind_config: .github/kind-config.yaml - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - -jobs: - installation-and-connectivity: - name: "Installation and Connectivity Test" - runs-on: ubuntu-latest - timeout-minutes: 45 - env: - job_name: "Installation and Connectivity Test" - steps: - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.event.pull_request.head.sha }} - - - name: Set up job variables - id: vars - run: | - # Note: On Kind, we install Cilium with HostPort (portmap CNI chaining) enabled, - # to ensure coverage of that feature in cilium connectivity test - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=hubble.relay.enabled=true - --helm-set=cni.chainingMode=portmap \ - --helm-set-string=kubeProxyReplacement=true \ - --helm-set=loadBalancer.l7.backend=envoy \ - --helm-set=tls.secretsBackend=k8s \ - --helm-set=envoy.enabled=true \ - --wait=false" - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.kind_config }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }}.xml" --junit-property github_job_step="Run connectivity test" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" diff --git a/.github/workflows/conformance-multi-pool.yaml b/.github/workflows/conformance-multi-pool.yaml deleted file mode 100644 index aabf32ef4504a..0000000000000 --- a/.github/workflows/conformance-multi-pool.yaml +++ /dev/null @@ -1,281 +0,0 @@ -name: Conformance Multi Pool IPAM (ci-multi-pool) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - v1.15 - - ft/v1.15/** - - 'renovate/v1.15-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - kind_config: .github/kind-config.yaml - timeout: 5m - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - multi-pool-ipam-conformance-test: - name: Install and Connectivity Test - runs-on: ubuntu-latest - timeout-minutes: 120 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - CONTEXT_REF="${{ inputs.context-ref }}" - OWNER="${{ inputs.PR-number }}" - else - CONTEXT_REF="${{ github.sha }}" - OWNER="${{ github.ref_name }}" - OWNER="${OWNER//[.\/]/-}" - fi - - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo context-ref=${CONTEXT_REF} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - # Notes: - # - Multi-pool IPAM only supports direct routing, thus we disable - # tunnel mode and enable auto-direct-routes. - # - Multi-pool IPAM only supports endpoint routes, thus we disable - # the local-node-route. - # - helm/kind-action does not support BPF host routing, so we fall - # back on legacy host routing (#23283) - # - iptables-based masquerading does not support multiple non-masquerade - # CIDRs. Thus, we enable BPF masquerading where we can add multiple - # non-masquerade CIDRs. - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=autoDirectNodeRoutes=true \ - --helm-set=routingMode=native \ - --helm-set=endpointRoutes.enabled=true \ - --helm-set=kubeProxyReplacement=true \ - --helm-set=bpf.masquerade=true \ - --helm-set=bpf.hostLegacyRouting=true\ - --helm-set=ipMasqAgent.enabled=true \ - --helm-set=ipMasqAgent.config.nonMasqueradeCIDRs='{10.0.0.0/8,192.168.0.0/16}' \ - --helm-set=ipam.mode=multi-pool \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.cidrs='{10.10.0.0/16}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.maskSize=24 \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.cidrs='{10.20.0.0/16}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.maskSize=24 \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.cidrs='{192.168.0.0/20}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.maskSize=27 \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.cidrs='{192.168.16.0/20}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.maskSize=27" - - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target bing.com. --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8 \ - --namespace-annotations='{\"ipam.cilium.io/ip-pool\":\"cilium-test-pool\"}' \ - --deployment-pod-annotations='{ \ - \"client\":{\"ipam.cilium.io/ip-pool\":\"client-pool\"}, \ - \"echo-other-node\":{\"ipam.cilium.io/ip-pool\":\"echo-other-node-pool\"} \ - }'" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted - sparse-checkout: | - install/kubernetes/cilium - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.kind_config }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - CILIUM_CLI_MODE=helm cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} - 1.xml" --junit-property github_job_step="Run connectivity test" - - - name: Collect Pod and Pool IPs - id: ips - run: | - for pod in client client2 echo-same-node echo-other-node; do - kubectl get pod -n cilium-test -l "name=${pod}" -o jsonpath="${pod}={.items[*].status.podIP}{'\n'}" >> "$GITHUB_OUTPUT" - done - - for pool in cilium-test-pool client-pool echo-other-node-pool; do - kubectl get ciliumpodippool "${pool}" -o "jsonpath=${pool}={.spec.ipv4.cidrs[0]}{'\n'}" >> "$GITHUB_OUTPUT" - done - - - name: Validate Pod IPs - shell: python - run: | - from ipaddress import ip_address, ip_network - - assert ip_address("${{ steps.ips.outputs.client }}") in ip_network("${{ steps.ips.outputs.client-pool }}"), "client pool mismatch" - assert ip_address("${{ steps.ips.outputs.client2 }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "client2 pool mismatch" - assert ip_address("${{ steps.ips.outputs.echo-same-node }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "echo-same-node pool mismatch" - assert ip_address("${{ steps.ips.outputs.echo-other-node }}") in ip_network("${{ steps.ips.outputs.echo-other-node-pool }}"), "echo-other-node pool mismatch" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: multi-pool-ipam-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.multi-pool-ipam-conformance-test.result }} diff --git a/.github/workflows/conformance-runtime.yaml b/.github/workflows/conformance-runtime.yaml deleted file mode 100644 index 5085df06cc560..0000000000000 --- a/.github/workflows/conformance-runtime.yaml +++ /dev/null @@ -1,482 +0,0 @@ -name: Conformance Runtime (ci-runtime) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - v1.15 - - ft/v1.15/** - - 'renovate/v1.15-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - # Pre-build the ginkgo binary so that we don't have to build it for all - # runners. - build-ginkgo-binary: - runs-on: ubuntu-latest - name: Build Ginkgo Runtime - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - echo "sha=${SHA}" >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - # If any of these steps are modified, please update the copy of these - # steps further down under the 'setup-and-test' jobs. - - # Load Ginkgo build from GitHub - - name: Load ginkgo runtime from GH cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-runtime-${{ hashFiles('**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Waiting for images - timeout-minutes: 20 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - setup-and-test: - needs: build-ginkgo-binary - runs-on: - group: ginkgo-runners - name: "Runtime Test (${{matrix.focus}})" - env: - # GitHub doesn't provide a way to retrieve the name of a job, so we have - # to repeated it here. - job_name: "Runtime Test (${{matrix.focus}})" - strategy: - fail-fast: false - max-parallel: 3 - matrix: - focus: - - "agent" - - "datapath" - - "privileged" - - include: - ### - # RuntimeAgentChaos Cilium agent Checking for file-descriptor leak - # RuntimeAgentChaos Cilium agent removing leftover Cilium interfaces - # RuntimeAgentChaos Connectivity over restarts Checking that during restart no traffic is dropped using Egress + Ingress Traffic - # RuntimeAgentChaos Endpoint Endpoint recovery on restart - # RuntimeAgentChaos KVStore Delete event on KVStore with CIDR identities - # RuntimeAgentChaos KVStore Validate that delete events on KVStore do not release in use identities - # RuntimeAgentFQDNPolicies Can update L7 DNS policy rules - # RuntimeAgentFQDNPolicies CNAME follow - # RuntimeAgentFQDNPolicies DNS proxy policy works if Cilium stops - # RuntimeAgentFQDNPolicies Enforces L3 policy even when no IPs are inserted - # RuntimeAgentFQDNPolicies Enforces ToFQDNs policy - # RuntimeAgentFQDNPolicies Implements matchPattern: * - # RuntimeAgentFQDNPolicies Interaction with other ToCIDR rules - # RuntimeAgentFQDNPolicies Roundrobin DNS - # RuntimeAgentFQDNPolicies toFQDNs populates toCIDRSet (data from proxy) L3-dependent L7/HTTP with toFQDN updates proxy policy - # RuntimeAgentFQDNPolicies toFQDNs populates toCIDRSet (data from proxy) Policy addition after DNS lookup - # RuntimeAgentFQDNPolicies Validate dns-proxy monitor information - # RuntimeAgentFQDNPolicies With verbose policy logs Validates DNSSEC responses - # RuntimeAgentKVStoreTest KVStore tests Consul KVStore - # RuntimeAgentKVStoreTest KVStore tests Etcd KVStore - # RuntimeAgentPolicies Init Policy Default Drop Test tests egress - # RuntimeAgentPolicies Init Policy Default Drop Test tests ingress - # RuntimeAgentPolicies Init Policy Default Drop Test With PolicyAuditMode tests egress - # RuntimeAgentPolicies Init Policy Default Drop Test With PolicyAuditMode tests ingress - # RuntimeAgentPolicies Init Policy Test Init Egress Policy Test - # RuntimeAgentPolicies Init Policy Test Init Ingress Policy Test - # RuntimeAgentPolicies TestsEgressToHost Tests Egress To Host - # RuntimeAgentPolicies TestsEgressToHost Tests egress with CIDR+L4 policy - # RuntimeAgentPolicies TestsEgressToHost Tests egress with CIDR+L4 policy to external https service - # RuntimeAgentPolicies TestsEgressToHost Tests egress with CIDR+L7 policy - # RuntimeAgentPolicies Tests Endpoint Connectivity Functions After Daemon Configuration Is Updated - # RuntimeAgentPolicies Tests EntityNone as a deny-all - # RuntimeSSHTests Should fail when context times out - - focus: "agent" - cliFocus: "RuntimeAgent|RuntimeSSHTests" - - ### - # RuntimeDatapathConntrackInVethModeTest Conntrack-related configuration options for endpoints - # RuntimeDatapathMonitorTest With Sample Containers checks container ids match monitor output - # RuntimeDatapathMonitorTest With Sample Containers cilium-dbg monitor check --from - # RuntimeDatapathMonitorTest With Sample Containers cilium-dbg monitor check --related-to - # RuntimeDatapathMonitorTest With Sample Containers cilium-dbg monitor check --to - # RuntimeDatapathMonitorTest With Sample Containers Cilium monitor event types - # RuntimeDatapathMonitorTest With Sample Containers delivers the same information to multiple monitors - - focus: "datapath" - cliFocus: "RuntimeDatapathConntrackInVethModeTest|RuntimeDatapathMonitorTest" - - ### - # RuntimeDatapathPrivilegedUnitTests Run Tests - - focus: "privileged" - cliFocus: "RuntimeDatapathPrivilegedUnitTests" - - timeout-minutes: 40 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - echo "sha=${SHA}" >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Provision LVH VMs - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - test-name: runtime-tests - install-dependencies: true - # renovate: datasource=docker depName=quay.io/lvh-images/kind - image-version: 6.6-20240710.064909 - host-mount: ./ - cpu: 4 - mem: 12G - - # Load Ginkgo build from GitHub - - name: Load ${{ matrix.name }} Ginkgo build from GitHub - uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-runtime-${{ hashFiles('**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Copy Ginkgo binary - shell: bash - run: | - cd test/ - tar -xf /tmp/.ginkgo-build/test.tgz - - - name: Setup runtime - timeout-minutes: 10 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - mkdir -p /root/go/src/github.com/cilium/ - ln -s /host /root/go/src/github.com/cilium/cilium - mkdir -p /home/root/go/src/github.com/cilium/ - ln -s /host /home/root/go/src/github.com/cilium/cilium - cp -r /host/test/provision /tmp - git config --global --add safe.directory /host - export CILIUM_IMAGE=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.sha }} - export CILIUM_DOCKER_PLUGIN_IMAGE=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docker-plugin-ci:${{ steps.vars.outputs.sha }} - export PROVISION_EXTERNAL_WORKLOAD=false - export VMUSER=root - echo '127.0.0.1 localhost' >> /etc/hosts - echo '::1 localhost' >> /etc/hosts - /tmp/provision/runtime_install.sh - service docker restart - - - name: Runtime tests - if: ${{ matrix.focus == 'agent' || matrix.focus == 'datapath' }} - timeout-minutes: 20 - shell: bash - run: | - cat > test/cilium-ssh-config.txt << EOF - Host runtime - HostName 127.0.0.1 - User root - Port 2222 - UserKnownHostsFile /dev/null - StrictHostKeyChecking no - PasswordAuthentication no - LogLevel FATAL - EOF - cd test - export INTEGRATION_TESTS=true - ./test.test \ - --ginkgo.focus="${{ matrix.cliFocus }}" \ - --ginkgo.skip="${{ matrix.cliSkip }}" \ - --ginkgo.seed=1679952881 \ - --ginkgo.v -- \ - -cilium.provision=false \ - -cilium.image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - -cilium.tag=${{ steps.vars.outputs.sha }} \ - -cilium.operator-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - -cilium.operator-tag=${{ steps.vars.outputs.sha }} \ - -cilium.hubble-relay-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - -cilium.hubble-relay-tag=${{ steps.vars.outputs.sha }} \ - -cilium.operator-suffix=-ci \ - -cilium.SSHConfig="cat ./cilium-ssh-config.txt" - - - name: Runtime privileged tests - if: ${{ matrix.focus == 'privileged' }} - timeout-minutes: 30 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host - # The LVH image might ship with an arbitrary Go toolchain version, - # install the same Go toolchain version as current HEAD. - go install golang.org/dl/go${{ env.go-version }}@latest - go${{ env.go-version }} download - # Install go-junit-report to generate junit files for the - # privileged tests. - go${{ env.go-version}} install github.com/jstemmer/go-junit-report/v2@7fde4641acef5b92f397a8baf8309d1a45d608cc - export GOTEST_FORMATTER="/root/go/bin/go-junit-report -set-exit-code -iocopy -out test/runtime.xml" - make tests-privileged NO_COLOR=1 GO=go${{ env.go-version }} - - - name: Debug failure on VM - # Only debug the failure on the LVH that have Cilium running as a service, - # which is 'agent' and 'datapath' focus. - if: ${{ !success() && (matrix.focus == 'agent' || matrix.focus == 'datapath') }} - timeout-minutes: 10 - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - journalctl --no-pager -xeu cilium.service - systemctl status cilium.service - - - name: Fetch artifacts - if: ${{ !success() && (matrix.focus == 'agent' || matrix.focus == 'datapath') }} - shell: bash - run: | - tar -zcf test_results-${{ join(matrix.*, '-') }}.tar.gz ./test/test_results - - - name: Upload artifacts - if: ${{ !success() && (matrix.focus == 'agent' || matrix.focus == 'datapath') }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.focus }} - path: | - test_results-*.tar.gz - - - name: Fetch JUnits - if: ${{ always() }} - shell: bash - run: | - mkdir -p cilium-junits - cd test/ - # junit_filename needs to be the same as the Job Name presented on the - # GH web UI - In the Summary page of a workflow run, left column - # "Jobs" - so that we can map the junit file to the right job - step - # pair on datastudio. - junit_filename="${{ env.job_name }}.xml" - for filename in *.xml; do cp "${filename}" "../cilium-junits/${junit_filename}"; done; - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.focus }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml deleted file mode 100644 index 1af4bb6113b92..0000000000000 --- a/.github/workflows/documentation.yaml +++ /dev/null @@ -1,115 +0,0 @@ -name: Documentation Updates - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - v1.15 - - ft/v1.15/** - merge_group: - types: [checks_requested] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-22.04 - outputs: - docs-tree: ${{ steps.docs-tree.outputs.src }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Check code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: docs-tree - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - src: - - .github/workflows/documentation.yaml - - 'Documentation/**' - - 'bugtool/cmd/**' - - 'cilium/cmd/**' - - 'cilium-health/cmd/**' - - 'daemon/cmd/**' - - 'hubble-relay/cmd/**' - - 'install/kubernetes/**' - - 'operator/cmd/**' - - README.rst - - # Runs only if code under Documentation or */cmd/ is changed as the docs - # should be unaffected otherwise. - build-html: - needs: check_changes - if: ${{ needs.check_changes.outputs.docs-tree == 'true' }} - name: Validate & Build HTML - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Build HTML - uses: docker://quay.io/cilium/docs-builder:9ccbdd04a50d599e9e699face6231e59c0036a51@sha256:6d1a0eaeb32ba98b60df52c69e7c8031a38e8aa6a0d4738bef35bd48a3bfbc0e - with: - entrypoint: ./Documentation/check-build.sh - args: html - - check-generated-documentation: - name: Check generated documentation - if: ${{ github.event_name != 'merge_group' }} - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - - name: Set clang directory - id: set_clang_dir - run: echo "clang_dir=$HOME/.clang" >> $GITHUB_OUTPUT - - - name: Cache LLVM and Clang - id: cache-llvm - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ${{ steps.set_clang_dir.outputs.clang_dir }} - key: llvm-10.0 - - - name: Install LLVM and Clang prerequisites - run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends libtinfo5 - - - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@82fd451e4380968e8336eefc5b8b9292a619de01 # v2.0.3 - with: - version: "10.0" - directory: ${{ steps.set_clang_dir.outputs.clang_dir }} - cached: ${{ steps.cache-llvm.outputs.cache-hit }} - - # Building Cilium as precondition to generate documentation artifacts. - - name: Build Cilium - run: | - make -C Documentation cilium-build - - - name: Check generated documentation - run: | - SKIP_BUILD=true make -C Documentation check diff --git a/.github/workflows/external-contribution-labeler.yaml b/.github/workflows/external-contribution-labeler.yaml deleted file mode 100644 index 57adb6a2bd9df..0000000000000 --- a/.github/workflows/external-contribution-labeler.yaml +++ /dev/null @@ -1,76 +0,0 @@ -name: PR from External Contribution Detector - -on: - pull_request_target: - types: - - opened - - reopened - -jobs: - labeler: - if: | - ( - (github.event.pull_request.author_association != 'OWNER') && - (github.event.pull_request.author_association != 'COLLABORATOR') && - (github.event.pull_request.author_association != 'MEMBER') - ) - runs-on: ubuntu-latest - name: Label PRs - permissions: - pull-requests: write - steps: - # Detect if the secret 'CHECK_TEAM_ORG_APP_ID' is set. If it's not set, don't - # bother running this GH workflow. - - name: Check if CHECK_TEAM_ORG_APP_ID is set in github secrets - id: check_secret - run: | - echo "is_CHECK_TEAM_ORG_APP_ID_set: ${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}" - echo is_CHECK_TEAM_ORG_APP_ID_set="${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}" >> $GITHUB_OUTPUT - - - name: Get token - # Get a token with the read:org permissions so that the GH action - # can read the team membership for a user. We need to do this over a - # GH app because GH actions don't have support for these type of - # permissions. - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }} - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.CHECK_TEAM_ORG_PEM }} - APP_ID: ${{ secrets.CHECK_TEAM_ORG_APP_ID }} - - - name: Check author association - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }} - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - id: author_association - # https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#check-organization-membership-for-a-user - with: - github-token: ${{ steps.get_token.outputs.app_token }} - script: | - try { - const result = await github.rest.orgs.checkMembershipForUser({ - org: "${{ github.repository_owner }}", - username: "${{github.event.pull_request.user.login}}", - }) - return result.status == 204; - } catch { - return false; - } - - - name: Print author association - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }} - run: | - echo author_association_from_event=${{ github.event.pull_request.author_association }} - echo author_association_from_api=${{ steps.author_association.outputs.result }} - - - name: Set label - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' && steps.author_association.outputs.result != 'true' }} - with: - script: | - github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ["kind/community-contribution"] - }) diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml deleted file mode 100644 index e568bd3bcc221..0000000000000 --- a/.github/workflows/integration-test.yaml +++ /dev/null @@ -1,168 +0,0 @@ -name: Integration Tests (ci-integration) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - v1.15 - - ft/v1.15/** - - 'renovate/v1.15-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - integration-test: - name: Integration Test - strategy: - fail-fast: false - matrix: - arch: [ubuntu-22.04, ubuntu-22.04-arm64] - runs-on: ${{ matrix.arch }} - timeout-minutes: 45 - steps: - - name: Install Dependencies - shell: bash - run: | - sudo apt update && sudo apt install -y --no-install-recommends build-essential make libncurses5 - - - name: Install Docker (arm64) - if: ${{ matrix.arch == 'ubuntu-22.04-arm64' }} - shell: bash - run: | - # Add Docker's official GPG key: - sudo apt-get update - sudo apt-get install ca-certificates curl - sudo install -m 0755 -d /etc/apt/keyrings - sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc - sudo chmod a+r /etc/apt/keyrings/docker.asc - - # Add the repository to Apt sources: - echo \ - "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ - $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ - sudo tee /etc/apt/sources.list.d/docker.list > /dev/null - sudo apt-get update - sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y - sudo usermod -aG docker $USER - sudo apt-get install acl - sudo setfacl --modify user:$USER:rw /var/run/docker.sock - - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set image tag - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - - name: Prepare environment - timeout-minutes: 15 - run: | - ./.github/actions/unit-tests/prepare.sh - - - name: Run integration tests - timeout-minutes: 60 - run: | - export PATH=/usr/local/clang/bin:$PATH - export V=0 - export DOCKER_BUILD_FLAGS=--quiet - ./.github/actions/unit-tests/build.sh - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: integration-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.integration-test.result }} diff --git a/.github/workflows/lint-bpf-checks.yaml b/.github/workflows/lint-bpf-checks.yaml deleted file mode 100644 index 6cf6be07dfa2a..0000000000000 --- a/.github/workflows/lint-bpf-checks.yaml +++ /dev/null @@ -1,150 +0,0 @@ -name: BPF Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - v1.15 - - ft/v1.15/** - merge_group: - types: [checks_requested] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-latest - outputs: - bpf-tree: ${{ steps.changes.outputs.bpf-tree }} - coccinelle: ${{ steps.changes.outputs.coccinelle }} - bpf-tests-runner: ${{ steps.changes.outputs.bpf-tests-runner }} - workflow-description: ${{ steps.changes.outputs.workflow-description }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Check code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: changes - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - bpf-tree: - - 'bpf/**' - coccinelle: - - 'contrib/coccinelle/**' - bpf-tests-runner: - - 'bpf/tests/bpftest/**' - - 'pkg/bpf/**' - workflow-description: - - '.github/workflows/lint-bpf-checks.yaml' - - checkpatch: - name: Check Patch - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Run checkpatch.pl - run: | - make -C bpf checkpatch || (echo "Run 'make -C bpf checkpatch' locally to investigate reports"; exit 1) - - # Runs only if code under bpf/ or contrib/coccinnelle/ is changed. - coccicheck: - needs: check_changes - if: ${{ needs.check_changes.outputs.bpf-tree == 'true' || needs.check_changes.outputs.coccinelle == 'true' || needs.check_changes.outputs.workflow-description == 'true' }} - name: Run coccicheck - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Run coccicheck - uses: docker://cilium/coccicheck:2.4@sha256:24abe3fbb8e829fa41a68a3b76cb4df84fd5a87a7d1d6254c1c1fe5effb5bd1b - with: - entrypoint: ./contrib/coccinelle/check-cocci.sh - # Note: Setting COCCINELLE_HOME can be removed, here and in the - # messages in the .cocci files, next time we upgrade coccinelle. - # The issue was fixed, after v1.1.1 that we're using, in - # https://gitlab.inria.fr/coccinelle/coccinelle/-/commit/540888ff426e. - env: - COCCINELLE_HOME: /usr/local/lib/coccinelle - - set_clang_dir: - name: Set clang directory - runs-on: ubuntu-latest - outputs: - clang_dir: ${{ steps.set_dir.outputs.clang_dir }} - steps: - - name: Set directory - id: set_dir - run: echo "clang_dir=$HOME/.clang" >> $GITHUB_OUTPUT - - # Runs only if code under bpf/ is changed. - build_all: - needs: [check_changes, set_clang_dir] - if: ${{ needs.check_changes.outputs.bpf-tree == 'true' || needs.check_changes.outputs.workflow-description == 'true' }} - name: Build Datapath - runs-on: ubuntu-22.04 - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - name: Cache LLVM and Clang - id: cache-llvm - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ${{ needs.set_clang_dir.outputs.clang_dir }} - key: llvm-10.0 - - name: Install LLVM and Clang prerequisites - run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends libtinfo5 - - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@82fd451e4380968e8336eefc5b8b9292a619de01 # v2.0.3 - with: - version: "10.0" - directory: ${{ needs.set_clang_dir.outputs.clang_dir }} - cached: ${{ steps.cache-llvm.outputs.cache-hit }} - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Build all BPF datapath permutations - env: - V: 0 - run: | - make --quiet -C bpf build_all || (echo "Run 'make -C bpf build_all' locally to investigate build breakages"; exit 1) - - bpf_tests: - needs: [check_changes, set_clang_dir] - if: ${{ needs.check_changes.outputs.bpf-tree == 'true' || needs.check_changes.outputs.bpf-tests-runner == 'true' || needs.check_changes.outputs.workflow-description == 'true' }} - name: BPF unit/integration Tests - runs-on: ubuntu-22.04 - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Run BPF tests - run: | - make run_bpf_tests || (echo "Run 'make run_bpf_tests' locally to investigate failures"; exit 1) diff --git a/.github/workflows/lint-build-commits.yaml b/.github/workflows/lint-build-commits.yaml deleted file mode 100644 index f6efac9292954..0000000000000 --- a/.github/workflows/lint-build-commits.yaml +++ /dev/null @@ -1,114 +0,0 @@ -name: Build Commits - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -jobs: - build_commits: - name: Check if build works for every commit - runs-on: ubuntu-22.04 - timeout-minutes: 180 - steps: - - name: Configure git - run: | - git config --global user.name "GitHub Actions" - git config --global user.email "github-actions@users.noreply.github.com" - - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - - name: Set clang directory - id: set_clang_dir - run: echo "clang_dir=$HOME/.clang" >> $GITHUB_OUTPUT - - - name: Cache LLVM and Clang - id: cache-llvm - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ${{ steps.set_clang_dir.outputs.clang_dir }} - key: llvm-10.0 - - - name: Install LLVM and Clang prerequisites - run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends libtinfo5 - - - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@82fd451e4380968e8336eefc5b8b9292a619de01 # v2.0.3 - with: - version: "10.0" - directory: ${{ steps.set_clang_dir.outputs.clang_dir }} - cached: ${{ steps.cache-llvm.outputs.cache-hit }} - - - name: Install ginkgo - run: | - go install github.com/onsi/ginkgo/ginkgo@cc0216944b25a88d3259699a029d4e601fb8a222 # v1.12.1 - - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - - - name: Check if build works for every commit - run: | - set -eu -o pipefail - COMMITS=$(git rev-list ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}) - for commit in $COMMITS ; do - git checkout $commit || exit 1 - make build -j $(nproc) || exit 1 - done - - - name: Check bpf code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: bpf-tree - with: - filters: | - src: - - 'bpf/**' - - # Runs only if code under bpf/ is changed. - - name: Check if datapath build works for every commit - if: steps.bpf-tree.outputs.src == 'true' - run: | - set -eu -o pipefail - COMMITS=$(git rev-list ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}) - for commit in $COMMITS ; do - git checkout $commit || exit 1 - make -C bpf build_all -j $(nproc) || exit 1 - done - - - name: Check test code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: test-tree - with: - filters: | - src: - - 'pkg/**' - - 'test/**' - - # Runs only if code under test/ is changed. - - name: Check if ginkgo test suite build works for every commit - if: steps.test-tree.outputs.src == 'true' - run: | - set -eu -o pipefail - COMMITS=$(git rev-list ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}) - for commit in $COMMITS ; do - git checkout $commit || exit 1 - (make -C test build -j $(nproc) && make -C test build-darwin -j $(nproc)) || exit 1 - done - - - name: Failed commit during the build - if: ${{ failure() }} - run: git --no-pager log --format=%B -n 1 diff --git a/.github/workflows/lint-go.yaml b/.github/workflows/lint-go.yaml deleted file mode 100644 index 683e9150bf2c2..0000000000000 --- a/.github/workflows/lint-go.yaml +++ /dev/null @@ -1,129 +0,0 @@ -name: Go Related Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - v1.15 - - ft/v1.15/** - # Add this workflow to be triggered by merge queue events - merge_group: - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -jobs: - go-mod: - name: Check Go Modules - runs-on: ubuntu-latest - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Check module vendoring - run: | - go mod tidy - go mod vendor - test -z "$(git status --porcelain)" || (echo "please run 'go mod tidy && go mod vendor', and submit your changes"; exit 1) - - golangci: - name: Lint Source Code - runs-on: ubuntu-latest - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: Run golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 - with: - # renovate: datasource=docker depName=golangci/golangci-lint - version: v1.55.2 - skip-cache: true - args: "--out-${NO_FUTURE}format colored-line-number --verbose --modules-download-mode=vendor" - - precheck: - runs-on: ubuntu-latest - name: Precheck - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - name: Go code prechecks - run: | - cd src/github.com/cilium/cilium - make precheck - - generate-api: - runs-on: ubuntu-latest - name: Generate API - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - name: Check api generated files - run: | - cd src/github.com/cilium/cilium - contrib/scripts/check-api-code-gen.sh - - generate-k8s-api: - runs-on: ubuntu-latest - name: Generate k8s API - steps: - - name: Install Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - name: Install protobuf dependencies - env: - PROTOBUF_VERSION: 3.12.4 - run: | - curl -Lo protoc-$PROTOBUF_VERSION-linux-x86_64.zip https://github.com/protocolbuffers/protobuf/releases/download/v$PROTOBUF_VERSION/protoc-$PROTOBUF_VERSION-linux-x86_64.zip - unzip protoc-$PROTOBUF_VERSION-linux-x86_64.zip - sudo chmod +x bin/protoc && sudo cp bin/protoc /usr/local/bin - - name: Check k8s generated files - run: | - # Set GOBIN to ensure 'go install' binaries end up in the same directory - # as the one actions/setup-go adds to PATH, regardless of GOPATH. - export GOBIN="$HOME/go/bin" - - cd src/github.com/cilium/cilium - contrib/scripts/check-k8s-code-gen.sh diff --git a/.github/workflows/lint-images-base.yaml b/.github/workflows/lint-images-base.yaml deleted file mode 100644 index 6a06f87dc8606..0000000000000 --- a/.github/workflows/lint-images-base.yaml +++ /dev/null @@ -1,44 +0,0 @@ -name: Base Image Lint - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - types: - - opened - - synchronize - - reopened - push: - branches: - - v1.15 - - ft/v1.15/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - lint: - name: Lint image build logic - runs-on: ubuntu-22.04 - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - uses: docker://quay.io/cilium/image-maker:7de7f1c855ce063bdbe57fdfb28599a3ad5ec8f1@sha256:dde8500cbfbb6c41433d376fdfcb3831e2df9cec50cf4f49e8553dc6eba74e72 - name: Run make lint - with: - entrypoint: make - args: -C images lint - - - uses: docker://quay.io/cilium/image-maker:7de7f1c855ce063bdbe57fdfb28599a3ad5ec8f1@sha256:dde8500cbfbb6c41433d376fdfcb3831e2df9cec50cf4f49e8553dc6eba74e72 - name: Check if runtime and builder images are up-to-date - with: - entrypoint: make - args: -C images check-runtime-image check-builder-image - - - name: Check Cilium Envoy image - run: make -C images check-envoy-image diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml deleted file mode 100644 index 3d9e91fb7c522..0000000000000 --- a/.github/workflows/lint-workflows.yaml +++ /dev/null @@ -1,265 +0,0 @@ -name: GitHub Workflow Related Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - v1.15 - - ft/v1.15/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - ginkgo-workflow-comments: - name: Lint Ginko Workflows Comments - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - # Load Ginkgo build from GitHub - - name: Load ginkgo linter from GH cache - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-linter-${{ hashFiles('src/github.com/cilium/cilium/**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Building Ginkgo Linter Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium - git apply contrib/testing/ginkgo-get-all-test-names.patch - - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Linter Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Copy Ginkgo binary - if: ${{ steps.cache.outputs.cache-hit == 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium/test/ - tar -xf /tmp/.ginkgo-build/test.tgz - - - name: Reading Comments From Workflows - shell: bash - run: | - cd src/github.com/cilium/cilium - - grep '# K8s' .github/actions/ginkgo/main-focus.yaml | \ - sed -e 's/^[[:space:]]\+# //g' | \ - sort -u > /tmp/ginkgo-workflow-comments.txt - - grep '# Runtime' .github/workflows/conformance-runtime.yaml | \ - sed -e 's/^[[:space:]]\+# //g' | \ - sort -u > /tmp/runtime-workflow-comments.txt - - - name: Getting test runs output - shell: bash - run: | - cd src/github.com/cilium/cilium/test - - ./test.test -ginkgo.failFast -ginkgo.dryRun -- --cilium.testScope=K8s | \ - grep TestRun | \ - grep -v 'TestRun\[Top Level\] Runtime' | \ - sed 's/TestRun\[Top Level\]\ //g' | \ - sort -u > /tmp/ginkgo-tests.txt - - ./test.test -ginkgo.failFast -ginkgo.dryRun -- --cilium.testScope=Runtime | \ - grep TestRun | \ - grep -v 'TestRun\[Top Level\] K8s' | \ - sed 's/TestRun\[Top Level\]\ //g' | \ - sort -u > /tmp/runtime-tests.txt - - - name: Checking diff Ginkgo Workflow - shell: bash - run: | - diff /tmp/ginkgo-workflow-comments.txt /tmp/ginkgo-tests.txt --suppress-common-lines - - if [ $? -ne 0 ]; then - echo "" - echo "Ginkgo tests out of sync with comments from GH workflow:" - echo "$diff" - echo "Please fix the comments from .github/actions/ginkgo/main-focus.yaml accordingly" - echo "" - exit 1 - fi - - - name: Checking diff Runtime Workflow - shell: bash - run: | - diff /tmp/runtime-workflow-comments.txt /tmp/runtime-tests.txt --suppress-common-lines - - if [ $? -ne 0 ]; then - echo "" - echo "Ginkgo tests out of sync with comments from GH workflow:" - echo "$diff" - echo "" - echo "Please fix the comments from .github/workflows/conformance-runtime.yaml accordingly" - exit 1 - fi - - ginkgo-schema-validation: - name: Validate Ginko Schema - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 - with: - python-version: '3.10' - - name: Install yamela - run: pip install yamale - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - - name: Validate schema of ginkgo action files - shell: bash - run: | - cd src/github.com/cilium/cilium/.github/actions/ginkgo/ - for type in focus k8s-versions prs scheduled; do - yamale -s ${type}-schema.yaml *-${type}.yaml; - done - - conformance-schema-validation: - name: Validate k8s Versions Schema - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 - with: - python-version: '3.10' - - name: Install yamela - run: pip install yamale - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - - name: Validate schema of aws, azure and gke action files - shell: bash - run: | - for dir in aws azure gke;do - dir_base=".github/actions/${dir}" - file_base="${dir_base}/k8s-versions" - if [ -f ${file_base}.yaml ];then - yamale -s ${file_base}-schema.yaml ${file_base}.yaml; - fi - if [ -f ${dir_base}/test-config-schema.yaml ];then - yamale -s ${dir_base}/test-config-schema.yaml ${dir_base}/test-config-classic.yaml - yamale -s ${dir_base}/test-config-schema.yaml ${dir_base}/test-config-helm.yaml - fi - done - - name-validation: - name: Validate Workflow Names - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - - name: Validate Job and Step names - shell: bash - run: | - EXIT=0 - cd src/github.com/cilium/cilium/.github/workflows - for FILE in *.yaml;do - JOBS=$(yq '.jobs | to_entries | .[] | select(.value.name == null) | " " + .key' $FILE) - STEPS=$(yq '.jobs | to_entries | .[] as $job | $job.value.steps[] | {"key": $job.key, "name": .name} | select(.name == null) | " "+.key' $FILE) - if [ "${JOBS}" != "" ];then - echo Jobs are missing name field, in file $FILE - echo "${JOBS}" | awk '{for (i=1; i<=NF; i++) print " " $i}' - EXIT=1 - fi - if [ "${STEPS}" != "" ];then - echo Steps are missing name field, under these Jobs in file $FILE - echo "${STEPS}" | awk '{for (i=1; i<=NF; i++) print " " $i}' - EXIT=1 - fi - done - exit ${EXIT} - - - name: Validate Commit Status Start Job - shell: bash - run: | - EXIT=0 - cd src/github.com/cilium/cilium/.github/workflows - for FILE in *.yaml; do - # we only care about workflows that has ariane workflow_dispatch events - IS_ARIANE_DISPATCH=$(yq '.on.workflow_dispatch.inputs.PR-number' $FILE) - if [ "$IS_ARIANE_DISPATCH" == "null" ]; then - continue - fi - JOB=$(yq '.jobs | to_entries | .[] | select(.key == "commit-status-start")' $FILE) - if [ "$JOB" == "" ]; then - echo "commit-status-start job is missing in file $FILE" - EXIT=1 - fi - JOB_NAME=$(echo "${JOB}" | yq '.value.name') - if [ "$JOB_NAME" != "Commit Status Start" ]; then - echo "commit-status-start job name must be set as 'Commit Status Start' in file $FILE" - EXIT=1 - fi - done - exit ${EXIT} - - - name: Validate Absence of Trailing Spaces - shell: bash - working-directory: src/github.com/cilium/cilium/ - run: | - if grep --quiet --recursive '[[:blank:]]$' .github; then - echo "Found trailing spaces in the following workflow files" - grep --files-with-matches --recursive '[[:blank:]]$' .github - echo - echo "Please run:" - echo " find .github -type f -exec sed -ri 's/[[:blank:]]+$//' {} \;" - echo "and submit your changes" - exit 1 - fi diff --git a/.github/workflows/push-chart-ci.yaml b/.github/workflows/push-chart-ci.yaml deleted file mode 100644 index c4aeba6700b0e..0000000000000 --- a/.github/workflows/push-chart-ci.yaml +++ /dev/null @@ -1,173 +0,0 @@ -name: Chart CI Push - -on: - # run after the image build completes - workflow_run: - workflows: - - Image CI Build - - Hot Fix Image Release Build - types: - - completed - # allow manually triggering it as well, for existing refs - workflow_dispatch: - inputs: - checkout_ref: - description: 'Git ref to build. This needs to be a full commit SHA.' - required: true - - # To test: uncomment this and update it to your branch name and push to the branch. - # push: - # branches: - # - ft/v1.15/ - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - group: | - ${{ github.workflow }}-${{ github.event_name }}-${{ - (github.event_name == 'workflow_dispatch' && inputs.checkout_ref) || - (github.event_name == 'workflow_run' && github.event.workflow_run.head_sha) - }} - cancel-in-progress: true - -jobs: - push-charts: - name: Push Charts - runs-on: ubuntu-22.04 - # we also check for push events in case someone is testing the workflow by uncommenting the push trigger above. - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' || github.event_name == 'push' }} - steps: - - name: Checkout GitHub main - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get triggering event ref - id: get-ref - run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - echo ref="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT - echo sha="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT - elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then - if [[ "${{ github.event.workflow_run.head_repository.fork }}" == "true" ]]; then - # use the SHA on forks since the head_branch won't exist in the upstream repository - echo ref="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT - else - echo ref="${{ github.event.workflow_run.head_branch }}" >> $GITHUB_OUTPUT - fi - echo sha="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT - elif [[ "${{ github.event_name }}" == "push" ]]; then - echo ref="${{ github.ref }}" >> $GITHUB_OUTPUT - echo sha="${{ github.sha }}" >> $GITHUB_OUTPUT - else - echo "Invalid event type" - exit 1 - fi - - - name: Set commit status to pending - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: pending - description: Helm push in progress - - - name: Checkout Source Code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - # checkout ref not SHA so we can get useful branch names (see previous comments) - ref: ${{ steps.get-ref.outputs.ref }} - # required for git describe - fetch-depth: 0 - - name: Get version - id: get-version - run: | - set -o pipefail - set -e - if [[ -f ./contrib/scripts/print-chart-version.sh ]]; then - echo "chart_version=$(./contrib/scripts/print-chart-version.sh)" | tee -a $GITHUB_OUTPUT - else - echo "./contrib/scripts/print-chart-version.sh missing. Perhaps it needs to be backported to your target branch?" - exit 1 - fi - - - name: Push charts - uses: cilium/reusable-workflows/.github/actions/push-helm-chart@6ae27958f2f37545bf48e44106b73df05b1f6d12 # v0.1.0 - with: - name: cilium - path: install/kubernetes/cilium - version: ${{ steps.get-version.outputs.chart_version }} - values_file_changes: | - { - - "image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci", - "image.tag": "${{ steps.get-ref.outputs.sha }}", - "image.digest": "", - "image.useDigest": false, - "preflight.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci", - "preflight.image.tag": "${{ steps.get-ref.outputs.sha }}", - "preflight.image.digest": "", - "preflight.image.useDigest": false, - "operator.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator", - "operator.image.suffix": "-ci", - "operator.image.genericDigest": "", - "operator.image.azureDigest": "", - "operator.image.awsDigest": "", - "operator.image.alibabacloudDigest": "", - "operator.image.useDigest": false, - "operator.image.tag": "${{ steps.get-ref.outputs.sha }}", - "hubble.relay.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci", - "hubble.relay.image.tag": "${{ steps.get-ref.outputs.sha }}", - "hubble.relay.image.digest": "", - "hubble.relay.image.useDigest": false, - "clustermesh.apiserver.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci", - "clustermesh.apiserver.image.tag": "${{ steps.get-ref.outputs.sha }}", - "clustermesh.apiserver.image.digest": "", - "clustermesh.apiserver.image.useDigest": false - } - registry: quay.io - registry_namespace: ${{ env.QUAY_CHARTS_ORGANIZATION_DEV }} - registry_username: ${{ secrets.QUAY_CHARTS_DEV_USERNAME }} - registry_password: ${{ secrets.QUAY_CHARTS_DEV_PASSWORD }} - - - name: Print helm command - run: | - echo "Example commands:" - echo helm template -n kube-system oci://quay.io/${{ env.QUAY_CHARTS_ORGANIZATION_DEV }}/cilium --version ${{ steps.get-version.outputs.chart_version }} - echo helm install cilium -n kube-system oci://quay.io/${{ env.QUAY_CHARTS_ORGANIZATION_DEV }}/cilium --version ${{ steps.get-version.outputs.chart_version }} - - - name: Set commit status to success - if: ${{ success() }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: success - description: Helm push successful - - - name: Set commit status to failure - if: ${{ failure() }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: failure - description: Helm push failed - - - name: Set commit status to cancelled - if: ${{ cancelled() }} - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: error - description: Helm push cancelled diff --git a/.github/workflows/tests-cifuzz.yaml b/.github/workflows/tests-cifuzz.yaml deleted file mode 100644 index d90ee062df2aa..0000000000000 --- a/.github/workflows/tests-cifuzz.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: CIFuzz -on: - pull_request: - paths-ignore: - - 'Documentation/**' -permissions: read-all -jobs: - Fuzzing: - name: Build and Run Fuzzers - runs-on: ubuntu-latest - steps: - - name: Build Fuzzers - id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@723bdbc7a8ee1e95af24284583b25d41efc0bd41 - with: - oss-fuzz-project-name: 'cilium' - dry-run: false - language: go - - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@723bdbc7a8ee1e95af24284583b25d41efc0bd41 - with: - oss-fuzz-project-name: 'cilium' - fuzz-seconds: 600 - dry-run: false - language: go - - name: Upload Crash - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - if: failure() && steps.build.outcome == 'success' - with: - name: artifacts - path: ./out/artifacts diff --git a/.github/workflows/tests-clustermesh-upgrade.yaml b/.github/workflows/tests-clustermesh-upgrade.yaml deleted file mode 100644 index de3aacdb4e0c4..0000000000000 --- a/.github/workflows/tests-clustermesh-upgrade.yaml +++ /dev/null @@ -1,701 +0,0 @@ -name: Cilium Cluster Mesh upgrade (ci-clustermesh) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - v1.15 - - ft/v1.15/** - - 'renovate/v1.15-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - - clusterName1: cluster1 - clusterName2: cluster2 - contextName1: kind-cluster1 - contextName2: kind-cluster2 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - upgrade-and-downgrade: - name: "Upgrade and Downgrade Test" - runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }} - timeout-minutes: 60 - env: - job_name: "Installation and Connectivity Test" - - strategy: - fail-fast: false - matrix: - include: - - name: '1' - encryption: 'disabled' - kube-proxy: 'iptables' - external-kvstore: false - cm-auth-mode: 'legacy' - - - name: '2' - encryption: 'disabled' - kube-proxy: 'none' - external-kvstore: false - cm-auth-mode: 'migration' - - # Currently, ipsec requires to synchronously regenerate the host - # endpoint to ensure ordering (#25735). Given that this is a blocking - # operation, we cannot wait for full clustermesh synchronization - # for an extended period of time, as that would prevent the agents from - # becoming ready (and new pods scheduled). This means that we will - # experience cross-cluster connection drops during upgrades/downgrades, - # given that the timeout is too low to account for the initialization - # of a new clustermesh-apiserver replica (while it is enough to prevent - # issues in case of agent restarts, if all remote clusters are ready, - # as well as when connecting to an external kvstore as in this case). - - name: '3' - encryption: 'ipsec' - kube-proxy: 'iptables' - external-kvstore: true - cm-auth-mode: 'legacy' - - - name: '4' - encryption: 'wireguard' - kube-proxy: 'iptables' - external-kvstore: false - cm-auth-mode: 'cluster' - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up newest settings - id: newest-vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./untrusted/cilium-newest/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh stable) - echo "downgrade_version=${CILIUM_DOWNGRADE_VERSION}" >> $GITHUB_OUTPUT - - # * Monitor aggregation is set to medium to avoid the performance penalty - # in the testing environment due to the relatively high traffic load. - # * We explicitly configure the IPAM mode to prevent it from being - # reset to the default value on upgrade/downgrade due to --reset-values. - # * We explicitly configure the sync timeout to a higher value to - # give enough time to the clustermesh-apiserver to restart after - # the upgrade/downgrade before that agents regenerate the endpoints. - # * We configure the maximum number of unavailable agents to 1 to slow - # down the rollout process and highlight possible connection disruption - # occurring in the meanwhile. - CILIUM_INSTALL_DEFAULTS=" \ - --set=debug.enabled=true \ - --set=bpf.monitorAggregation=medium \ - --set=hubble.enabled=true \ - --set=routingMode=tunnel \ - --set=tunnelProtocol=vxlan \ - --set=ipv4.enabled=true \ - --set=ipv6.enabled=true \ - --set=kubeProxyReplacement=${{ matrix.kube-proxy == 'none' }} \ - --set=bpf.masquerade=${{ matrix.kube-proxy == 'none' }} \ - --set=ipam.mode=kubernetes \ - --set=operator.replicas=1 \ - --set=updateStrategy.rollingUpdate.maxUnavailable=1 \ - --set=clustermesh.useAPIServer=${{ !matrix.external-kvstore }} \ - --set=clustermesh.config.enabled=true \ - --set=extraConfig.clustermesh-ip-identities-sync-timeout=10m \ - --set=clustermesh.apiserver.tls.authMode=${{ matrix.cm-auth-mode }} \ - " - - # Run only a limited subset of tests to reduce the amount of time - # required. The full suite is run in conformance-clustermesh. - CONNECTIVITY_TEST_DEFAULTS=" \ - --hubble=false \ - --flow-validation=disabled \ - --test='no-interrupted-connections' \ - --test='no-unexpected-packet-drops' \ - --test='no-policies/' \ - --test='no-policies-extra/' \ - --test='allow-all-except-world/' \ - --test='client-ingress/' \ - --test='client-egress/' \ - --test='cluster-entity-multi-cluster/' \ - --test='!/pod-to-world' \ - --test='!/pod-to-cidr' \ - --collect-sysdump-on-failure" - - CILIUM_INSTALL_ENCRYPTION="" - if [ "${{ matrix.encryption }}" != "disabled" ]; then - CILIUM_INSTALL_ENCRYPTION=" \ - --set=encryption.enabled=true \ - --set=encryption.type=${{ matrix.encryption }}" - fi - - echo "cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} ${CILIUM_INSTALL_ENCRYPTION}" >> $GITHUB_OUTPUT - echo "connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS}" >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Generate Kind configuration files - run: | - PODCIDR=10.242.0.0/16,fd00:10:242::/48 \ - SVCCIDR=10.243.0.0/16,fd00:10:243::/112 \ - IPFAMILY=dual \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster1.yaml - - PODCIDR=10.244.0.0/16,fd00:10:244::/48 \ - SVCCIDR=10.245.0.0/16,fd00:10:245::/112 \ - IPFAMILY=dual \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster2.yaml - - - name: Create Kind cluster 1 - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - cluster_name: ${{ env.clusterName1 }} - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ./.github/kind-config-cluster1.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Create Kind cluster 2 - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - cluster_name: ${{ env.clusterName2 }} - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ./.github/kind-config-cluster2.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - # Make sure that coredns uses IPv4-only upstream DNS servers also in case of clusters - # with IP family dual, since IPv6 ones are not reachable and cause spurious failures. - # Additionally, this is also required to workaround #23283. - - name: Configure the coredns nameservers - run: | - COREDNS_PATCH=" - spec: - template: - spec: - dnsPolicy: None - dnsConfig: - nameservers: - - 8.8.4.4 - - 8.8.8.8 - " - - kubectl --context ${{ env.contextName1 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - kubectl --context ${{ env.contextName2 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - - - name: Create the IPSec secret in both clusters - if: matrix.encryption == 'ipsec' - run: | - SECRET="3 rfc4106(gcm(aes)) $(openssl rand -hex 20) 128" - kubectl --context ${{ env.contextName1 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - kubectl --context ${{ env.contextName2 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - - - name: Start kvstore clusters - id: kvstore - if: matrix.external-kvstore - uses: ./.github/actions/kvstore - with: - clusters: 2 - - - name: Create the secret containing the kvstore credentials - if: matrix.external-kvstore - run: | - kubectl --context ${{ env.contextName1 }} create -n kube-system -f ${{ steps.kvstore.outputs.cilium_etcd_secrets_path }} - kubectl --context ${{ env.contextName2 }} create -n kube-system -f ${{ steps.kvstore.outputs.cilium_etcd_secrets_path }} - - - name: Set clustermesh connection parameters - id: clustermesh-vars - run: | - # Let's retrieve in advance the parameters to mesh the two clusters, so - # that we don't need to do that through the CLI in a second step, as it - # would be reset during upgrade (as we are resetting the values). - - # Explicitly configure the NodePorts to make sure that they are different - # in each cluster, to workaround #24692 - PORT1=32379 - PORT2=32380 - - CILIUM_INSTALL_CLUSTER1=" \ - --set cluster.name=${{ env.clusterName1 }} \ - --set cluster.id=1 \ - --set clustermesh.apiserver.service.nodePort=$PORT1 \ - " - - CILIUM_INSTALL_CLUSTER2=" \ - --set cluster.name=${{ env.clusterName2 }} \ - --set cluster.id=255 \ - --set clustermesh.apiserver.service.nodePort=$PORT2 \ - " - - CILIUM_INSTALL_COMMON=" \ - --set clustermesh.config.clusters[0].name=${{ env.clusterName1 }} \ - --set clustermesh.config.clusters[1].name=${{ env.clusterName2 }} \ - " - - if [ "${{ matrix.external-kvstore }}" == "true" ]; then - CILIUM_INSTALL_COMMON="$CILIUM_INSTALL_COMMON \ - ${{ steps.kvstore.outputs.cilium_install_clustermesh }}" - else - IP1=$(kubectl --context ${{ env.contextName1 }} get nodes \ - ${{ env.clusterName1 }}-worker -o wide --no-headers | awk '{ print $6 }') - IP2=$(kubectl --context ${{ env.contextName2 }} get nodes \ - ${{ env.clusterName2 }}-worker -o wide --no-headers | awk '{ print $6 }') - - CILIUM_INSTALL_COMMON="$CILIUM_INSTALL_COMMON \ - --set clustermesh.config.clusters[0].ips={$IP1} \ - --set clustermesh.config.clusters[0].port=$PORT1 \ - --set clustermesh.config.clusters[1].ips={$IP2} \ - --set clustermesh.config.clusters[1].port=$PORT2 \ - " - fi - - echo cilium_install_cluster1="$CILIUM_INSTALL_CLUSTER1 $CILIUM_INSTALL_COMMON" >> $GITHUB_OUTPUT - echo cilium_install_cluster2="$CILIUM_INSTALL_CLUSTER2 $CILIUM_INSTALL_COMMON" >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.newest-vars.outputs.sha }} - persist-credentials: false - path: untrusted/cilium-newest - sparse-checkout: | - install/kubernetes/cilium - - - name: Checkout ${{ steps.vars.outputs.downgrade_version }} branch - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.downgrade_version }} - persist-credentials: false - path: untrusted/cilium-downgrade - sparse-checkout: | - install/kubernetes/cilium - - - name: Set up downgrade settings - id: downgrade-vars - run: | - SHA="$(cd untrusted/cilium-downgrade && git rev-parse HEAD)" - CILIUM_IMAGE_SETTINGS=" \ - --chart-directory=./untrusted/cilium-downgrade/install/kubernetes/cilium \ - --set=image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${SHA} \ - --set=operator.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator-generic-ci:${SHA} \ - --set=clustermesh.apiserver.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci:${SHA} \ - --set=clustermesh.apiserver.kvstoremesh.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/kvstoremesh-ci:${SHA} \ - " - echo "sha=${SHA}" >> $GITHUB_OUTPUT - echo "cilium_image_settings=${CILIUM_IMAGE_SETTINGS}" >> $GITHUB_OUTPUT - - - name: Wait for images to be available (newest) - timeout-minutes: 10 - shell: bash - run: | - for image in cilium-ci operator-generic-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.newest-vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Wait for images to be available (downgrade) - timeout-minutes: 10 - shell: bash - run: | - for image in cilium-ci operator-generic-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.downgrade-vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - - name: Install Cilium in cluster1 - id: install-cilium-cluster1 - env: - KVSTORE_ID: 1 - run: | - # We enable the clustermesh-apiserver (although with zero replicas) - # also when actually connecting to an external kvstore. This is a - # workaround to enable creating the clustermesh configuration secret, - # that is otherwise skipped in Cilium v1.14 (and earlier). - - cilium --context ${{ env.contextName1 }} install \ - ${{ steps.downgrade-vars.outputs.cilium_image_settings }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} \ - --set=clustermesh.useAPIServer=true \ - --set=clustermesh.apiserver.replicas=${{ matrix.external-kvstore && '0' || '1' }} \ - - - name: Copy the Cilium CA secret to cluster2, as they must match - if: ${{ !matrix.external-kvstore }} - run: | - kubectl --context ${{ env.contextName1 }} get secret -n kube-system cilium-ca -o yaml | - kubectl --context ${{ env.contextName2 }} create -f - - - - name: Install Cilium in cluster2 - env: - KVSTORE_ID: 2 - run: | - cilium --context ${{ env.contextName2 }} install \ - ${{ steps.newest-vars.outputs.cilium_install_defaults }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster2 }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test - pre-upgrade (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} - pre-upgrade (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests pre-upgrade (${{ join(matrix.*, ', ') }})" - - # Create pods which establish long lived connections. They will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} --hubble=false \ - --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-dispatch-interval 0ms - - - - name: Upgrade Cilium in cluster1 and enable kvstoremesh - env: - KVSTORE_ID: 1 - run: | - cilium --context ${{ env.contextName1 }} upgrade --reset-values \ - ${{ steps.newest-vars.outputs.cilium_install_defaults }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} \ - --set clustermesh.apiserver.kvstoremesh.enabled=true - - - name: Rollout Cilium agents in cluster2 - if: ${{ !matrix.external-kvstore }} - run: | - # This makes sure that the remote agents reconnect to the new instance of the - # clustermesh-apiserver, without waiting for the watchdog mechanism to kick in. - kubectl --context ${{ env.contextName2 }} rollout restart -n kube-system ds/cilium - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName2 }} status --wait --wait-duration=10m - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Set cilium connectivity test namespace - id: cilium-cli - run: | - NAMESPACE=$(kubectl get namespace -l "app.kubernetes.io/name=cilium-cli" -o name | sort | cut -d / -f 2 | head -1) - echo namespace="$NAMESPACE" >> $GITHUB_OUTPUT - ${{ steps.cilium-cli.outputs.namespace }} - - - name: Gather additional troubleshooting information - run: | - kubectl --context ${{ env.contextName1 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName2 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName1 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --previous --ignore-errors --timestamps - - - name: Run connectivity test - post-upgrade (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --include-conn-disrupt-test \ - --junit-file "cilium-junits/${{ env.job_name }} - post upgrade (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests post-upgrade (${{ join(matrix.*, ', ') }})" - - # Create pods which establish long lived connections. They will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} --hubble=false \ - --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-dispatch-interval 0ms - - - # Perform an additional "stress" test, scaling the clustermesh-apiservers in both clusters - # to zero replicas, and restarting all agents. Existing connections should not be disrupted. - # One exception to this is represented by Cilium being in charge of handling NodePort - # traffic, as the simultaneous restart of the clustermesh-apiserver pods in both clusters - # after rolling out all agents can lead to a circular dependency (#30156). - - name: Scale the clustermesh-apiserver replicas to 0 - if: ${{ !matrix.external-kvstore }} - run: | - kubectl --context ${{ env.contextName1 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 0 - if [ ${{ matrix.kube-proxy }} != "none" ]; then - kubectl --context ${{ env.contextName2 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 0 - fi - - - name: Rollout Cilium agents in both clusters - run: | - kubectl --context ${{ env.contextName1 }} rollout restart -n kube-system ds/cilium - kubectl --context ${{ env.contextName2 }} rollout restart -n kube-system ds/cilium - - # Wait until all agents successfully restarted before scaling the replicas again - kubectl --context ${{ env.contextName1 }} rollout status -n kube-system ds/cilium --timeout=5m - kubectl --context ${{ env.contextName2 }} rollout status -n kube-system ds/cilium --timeout=5m - - - name: Scale the clustermesh-apiserver replicas back to 1 - if: ${{ !matrix.external-kvstore }} - run: | - kubectl --context ${{ env.contextName1 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 1 - kubectl --context ${{ env.contextName2 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 1 - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Gather additional troubleshooting information - run: | - kubectl --context ${{ env.contextName1 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName2 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName1 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --previous --ignore-errors --timestamps - - - name: Run connectivity test - stress-test (${{ join(matrix.*, ', ') }}) - run: | - # Only check that no long living connection was disrupted - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - --hubble=false \ - --flow-validation=disabled \ - --test='no-interrupted-connections' \ - --test='no-unexpected-packet-drops' \ - --include-conn-disrupt-test \ - --junit-file "cilium-junits/${{ env.job_name }} - stress test (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests stess-test (${{ join(matrix.*, ', ') }})" - - # Create pods which establish long lived connections. They will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} --hubble=false \ - --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-dispatch-interval 0ms - - - - name: Downgrade Cilium in cluster1 and disable kvstoremesh - env: - KVSTORE_ID: 1 - run: | - # We enable the clustermesh-apiserver (although with zero replicas) - # also when actually connecting to an external kvstore. This is a - # workaround to enable creating the clustermesh configuration secret, - # that is otherwise skipped in Cilium v1.14 (and earlier). - - cilium --context ${{ env.contextName1 }} upgrade --reset-values \ - ${{ steps.downgrade-vars.outputs.cilium_image_settings }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.kvstore.outputs.cilium_install_kvstore }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} \ - --set=clustermesh.useAPIServer=true \ - --set=clustermesh.apiserver.replicas=${{ matrix.external-kvstore && '0' || '1' }} \ - - - name: Rollout Cilium agents in cluster2 - if: ${{ !matrix.external-kvstore }} - run: | - # This makes sure that the remote agents reconnect to the new instance of the - # clustermesh-apiserver, without waiting for the watchdog mechanism to kick in. - kubectl --context ${{ env.contextName2 }} rollout restart -n kube-system ds/cilium - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Gather additional troubleshooting information - run: | - kubectl --context ${{ env.contextName1 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName2 }} get po -n ${{ steps.cilium-cli.outputs.namespace }} -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName1 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n ${{ steps.cilium-cli.outputs.namespace }} -l kind=test-conn-disrupt --prefix --previous --ignore-errors --timestamps - - - name: Run connectivity test - post-downgrade (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --include-conn-disrupt-test \ - --junit-file "cilium-junits/${{ env.job_name }} - post downgrade (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests post-downgrade (${{ join(matrix.*, ', ') }})" - - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium-cluster1.outcome != 'skipped' }} - run: | - cilium --context ${{ env.contextName1 }} status - cilium --context ${{ env.contextName1 }} clustermesh status - cilium --context ${{ env.contextName2 }} status - cilium --context ${{ env.contextName2 }} clustermesh status - - kubectl config use-context ${{ env.contextName1 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context1-final-${{ join(matrix.*, '-') }} - - kubectl config use-context ${{ env.contextName2 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context2-final-${{ join(matrix.*, '-') }} - - if [ "${{ matrix.external-kvstore }}" == "true" ]; then - for i in {1..2}; do - echo - echo "# Retrieving logs from kvstore$i docker container" - docker logs kvstore$i - done - fi - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.name }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.name }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: upgrade-and-downgrade - steps: - - name: Merge Sysdumps - if: ${{ needs.upgrade-and-downgrade.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: upgrade-and-downgrade - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.upgrade-and-downgrade.result }} diff --git a/.github/workflows/tests-datapath-verifier.yaml b/.github/workflows/tests-datapath-verifier.yaml deleted file mode 100644 index cb9459f578516..0000000000000 --- a/.github/workflows/tests-datapath-verifier.yaml +++ /dev/null @@ -1,168 +0,0 @@ -name: Datapath BPF Complexity (ci-verifier) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=golang-version depName=go - go-version: 1.22.6 - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - runs-on: ubuntu-latest-4cores-16gb - name: Setup & Test - strategy: - fail-fast: false - matrix: - include: - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '4.19-20240710.064909' - ci-kernel: '419' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '5.4-20240710.064909' - ci-kernel: '54' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '5.10-20240710.064909' - ci-kernel: '510' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '5.15-20240710.064909' - ci-kernel: '510' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '6.1-20240710.064909' - ci-kernel: '61' - # renovate: datasource=docker depName=quay.io/lvh-images/complexity-test - - kernel: '6.6-20240710.064909' - ci-kernel: 'netnext' - timeout-minutes: 60 - steps: - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.SHA || github.sha }} - persist-credentials: false - - - name: Provision LVH VMs - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - test-name: datapath-bpf-complexity - image: 'complexity-test' - image-version: ${{ matrix.kernel }} - host-mount: ./ - cpu: 4 - install-dependencies: 'true' - cmd: | - for i in {1..5}; do curl "https://golang.org" > /dev/null 2>&1 && break || sleep 5; echo "Waiting for systemd-resolved to be ready..."; done - - git config --global --add safe.directory /host - uname -a - # The LVH image might ship with an arbitrary Go toolchain version, - # install the same Go toolchain version as current HEAD. - CGO_ENABLED=0 GOPROXY=direct GOSUMDB= go install golang.org/dl/go${{ env.go-version }}@latest - go${{ env.go-version }} download - - - name: Run verifier tests - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - # Run with cgo disabled, LVH images don't ship with gcc. - CGO_ENABLED=0 go${{ env.go-version }} test -v -parallel=1 ./test/verifier -cilium-base-path /host -ci-kernel-version ${{ matrix.ci-kernel }} - - - name: Fetch artifacts - if: ${{ !success() }} - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host - mkdir datapath-verifier - find test/verifier \( -name "*.log" -o -name "*.o" \) -exec cp -v {} datapath-verifier/ \; - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: datapath-verifier_${{ matrix.kernel }} - path: datapath-verifier - retention-days: 5 - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-e2e-upgrade.yaml b/.github/workflows/tests-e2e-upgrade.yaml deleted file mode 100644 index f0fe76b2d2b07..0000000000000 --- a/.github/workflows/tests-e2e-upgrade.yaml +++ /dev/null @@ -1,571 +0,0 @@ -name: Cilium E2E Upgrade (ci-e2e-upgrade) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - runs-on: ubuntu-latest-4cores-16gb - name: 'Setup & Test' - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - include: - # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - # ! NOTE: keep conformance-e2e.yaml config in sync ! - # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - - - name: '1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '4.19-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - # enabling breaks downgrading as #30818 was not backported to v1.14 - # host-fw: 'true' - - - name: '2' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - # enabling breaks downgrading as #30818 was not backported to v1.14 - # host-fw: 'true' - - - name: '3' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - endpoint-routes: 'true' - - - name: '4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '5' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'dsr' - endpoint-routes: 'true' - egress-gateway: 'true' - host-fw: 'false' # enabling breaks downgrading (missed tail calls) - - - name: '6' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - egress-gateway: 'true' - host-fw: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - - - name: '7' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.6-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'snat' - egress-gateway: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - - - name: '8' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.6-20240710.064909' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'geneve' - endpoint-routes: 'true' - - - name: '9' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'false' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '10' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'false' - lb-mode: 'dsr' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '11' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - - name: '12' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.6-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - - name: '14' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - egress-gateway: 'true' - lb-acceleration: 'testing-only' - - - name: '16' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20240710.064909' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - encryption: 'wireguard' - encryption-node: 'false' - host-fw: 'true' - - timeout-minutes: 60 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh stable) - echo downgrade_version=${CILIUM_DOWNGRADE_VERSION} >> $GITHUB_OUTPUT - - - name: Derive stable Cilium installation config - id: cilium-stable-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.downgrade_version }} - chart-dir: './untrusted/cilium-downgrade/install/kubernetes/cilium/' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' # TODO(brb) maybe it's only needed for <1.14 - - - name: Derive newest Cilium installation config - id: cilium-newest-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './untrusted/cilium-newest/install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - binary-name: cilium-cli - binary-dir: ./ - - - name: Provision LVH VMs - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - test-name: ipsec-upgrade - image-version: ${{ matrix.kernel }} - host-mount: ./ - cpu: 4 - mem: '12G' - install-dependencies: 'true' - cmd: | - git config --global --add safe.directory /host - - - name: Setup K8s cluster - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - - export IMAGE=${{ env.KIND_K8S_IMAGE }} - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - ./contrib/scripts/kind.sh --xdp --secondary-network "" 3 "" "" "${{ matrix.kube-proxy }}" \$IP_FAM - - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - - mkdir -p cilium-junits - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted/cilium-newest - sparse-checkout: | - install/kubernetes/cilium - - - name: Checkout ${{ steps.vars.outputs.downgrade_version }} branch to get the Helm chart - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.downgrade_version }} - persist-credentials: false - path: untrusted/cilium-downgrade - sparse-checkout: | - install/kubernetes/cilium - - - name: Wait for images to be available - timeout-minutes: 10 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium ${{ env.cilium_stable_version }} - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - - CILIUM_CLI_MODE=helm ./cilium-cli install \ - ${{ steps.cilium-stable-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Start conn-disrupt-test - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - - # Create pods which establish long lived connections. It will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - ./cilium-cli connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-dispatch-interval 0ms - - - name: Upgrade Cilium - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - - CILIUM_CLI_MODE=helm ./cilium-cli upgrade \ - ${{ steps.cilium-newest-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Test Cilium after upgrade - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - - EXTRA=() - if [ "${{ matrix.secondary-network }}" = "true" ]; then - EXTRA+=("--secondary-network-iface=eth1") - fi - - # it's fine to ignore the "No egress gateway found" drop reason as this may be caused by the kind=echo pods - # sending traffic while the egressgw policy map is still being populated. - # - # The actual connectivity test will ensure that the map is in sync with the policy and that egressgw traffic - # always go through the correct gateway - EXTRA+=("--expected-drop-reasons=+No egress gateway found") - - # Disable check-log-errors due to https://github.com/cilium/cilium-cli/issues/1858 - ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --include-conn-disrupt-test \ - --flush-ct \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests upgrade 2 (${{ join(matrix.*, ', ') }})" \ - "${EXTRA[@]}" - - # --flush-ct interrupts the flows, so we need to set up again. - ./cilium-cli connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup \ - --conn-disrupt-dispatch-interval 0ms - - - name: Downgrade Cilium ${{ env.cilium_stable_version }} - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - - CILIUM_CLI_MODE=helm ./cilium-cli upgrade \ - ${{ steps.cilium-stable-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Test Cilium after downgrade to ${{ env.cilium_stable_version }} - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host/ - - EXTRA=() - if [ "${{ matrix.secondary-network }}" = "true" ]; then - EXTRA+=("--secondary-network-iface=eth1") - fi - - # it's fine to ignore the "No egress gateway found" drop reason as this may be caused by the kind=echo pods - # sending traffic while the egressgw policy map is still being populated. - # - # The actual connectivity test will ensure that the map is in sync with the policy and that egressgw traffic - # always go through the correct gateway - EXTRA+=("--expected-drop-reasons=+No egress gateway found") - - kubectl -n kube-system get pods -l k8s-app=cilium --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | xargs -I'{}' /bin/sh -c "echo '{}' && kubectl -n kube-system exec '{}' -c cilium-agent -- cilium metrics list | grep drop_count" - - ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --include-conn-disrupt-test \ - --flush-ct \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests upgrade 3 (${{ join(matrix.*, ', ') }})" \ - "${EXTRA[@]}" - - - name: Fetch artifacts - if: ${{ !success() }} - uses: cilium/little-vm-helper@97c89f004bd0ab4caeacfe92ebc956e13e362e6b # v0.0.19 - with: - provision: 'false' - cmd: | - cd /host - kubectl -n kube-system get pods -l k8s-app=cilium --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | xargs -I'{}' /bin/sh -c "echo '{}' && kubectl -n kube-system exec '{}' -c cilium-agent -- cilium metrics list | grep drop_count" - kubectl get pods --all-namespaces -o wide - ./cilium-cli status - mkdir -p cilium-sysdumps - ./cilium-cli sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - # To debug https://github.com/cilium/cilium/issues/26062 - head -n -0 /proc/buddyinfo /proc/pagetypeinfo - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.name }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.name }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-ipsec-upgrade.yaml b/.github/workflows/tests-ipsec-upgrade.yaml deleted file mode 100644 index 60b605ba54c68..0000000000000 --- a/.github/workflows/tests-ipsec-upgrade.yaml +++ /dev/null @@ -1,456 +0,0 @@ -name: Cilium IPsec upgrade (ci-ipsec-upgrade) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - 'renovate/v1.15-**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - runs-on: ubuntu-latest-4cores-16gb - name: 'Setup & Test' - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - config: ['5.4', '5.10', '6.1', '6.6'] - mode: ['minor', 'patch'] - include: - # Define three config sets - - config: '5.4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20240710.064909' - kube-proxy: 'iptables' - kpr: 'disabled' - tunnel: 'disabled' - encryption: 'ipsec' - - - config: '5.10' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20240710.064909' - kube-proxy: 'iptables' - kpr: 'disabled' - tunnel: 'disabled' - encryption: 'ipsec' - endpoint-routes: 'true' - - - config: '6.1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20240710.064909' - kube-proxy: 'iptables' - kpr: 'disabled' - tunnel: 'vxlan' - encryption: 'ipsec' - endpoint-routes: 'false' - - - config: '6.6' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.6-20240710.064909' - kube-proxy: 'iptables' - kpr: 'disabled' - tunnel: 'vxlan' - encryption: 'ipsec' - endpoint-routes: 'true' - - # Add names to matrix combinations of {config, mode} - - config: '5.4' - mode: 'minor' - name: '1' - - - config: '5.10' - mode: 'minor' - name: '2' - - - config: '6.1' - mode: 'minor' - name: '3' - - - config: '6.6' - mode: 'minor' - name: '4' - - - config: '5.4' - mode: 'patch' - name: '5' - - - config: '5.10' - mode: 'patch' - name: '6' - - - config: '6.1' - mode: 'patch' - name: '7' - - - config: '6.6' - mode: 'patch' - name: '8' - - timeout-minutes: 70 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - # We keep the credentials here, to make sure we're able to run - # "git fetch" in print-downgrade-version.sh in a few steps below. - # We'll call it again to remove the credentials before pulling the - # untrusted branch from the PR. We remain in a trusted context while - # credentials persist. - # This remains faster than downloading the full project history to - # make tags available to print-downgrade-version.sh. - persist-credentials: true - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - if [ "${{ matrix.mode }}" = "minor" ]; then - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh stable) - IMAGE_TAG=${CILIUM_DOWNGRADE_VERSION} - else - # Upgrade from / downgrade to patch release. - # In some cases we expect to fail to get the version number, do not - # fail the workflow in such case. This is typically the case on - # main branch where we don't have preceeding patch releases. - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh patch || true) - # Pass an empty tag to the cilium-config action to fall back to the - # default release image, without crafting an image path with the - # "-ci" suffix - IMAGE_TAG='' - fi - echo "CILIUM_DOWNGRADE_VERSION: ${CILIUM_DOWNGRADE_VERSION}" - echo "IMAGE_TAG: ${IMAGE_TAG}" - if [ -z "${CILIUM_DOWNGRADE_VERSION}" ]; then - echo "::notice::No CILIUM_DOWNGRADE_VERSION returned; skipping remaining steps" - fi - echo downgrade_version=${CILIUM_DOWNGRADE_VERSION} >> $GITHUB_OUTPUT - echo image_tag=${IMAGE_TAG} >> $GITHUB_OUTPUT - - - name: Call actions/checkout again to remove credentials - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Check we effectively removed Git credentials - shell: bash - run: | - # For private repositories requiring authentication, check that we - # can no longer fetch from the repository. - if ! curl -L \ - -H "Accept: application/vnd.github+json" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - "https://api.github.com/repos/${{ github.repository }}" | \ - tee /dev/stderr | \ - jq --exit-status '.private == false'; then - echo 'Checking whether "git fetch" succeeds' - if git fetch origin HEAD; then - echo "::error::Git credentials not removed, aborting now." - false - fi - fi - - - name: Derive stable Cilium installation config - id: cilium-stable-config - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.image_tag }} - chart-dir: './untrusted/cilium-downgrade/install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' - - - name: Derive newest Cilium installation config - id: cilium-newest-config - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './untrusted/cilium-newest/install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' - - - name: Install Cilium CLI - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - binary-name: cilium-cli - binary-dir: ./ - - - name: Set Kind params - if: ${{ steps.vars.outputs.downgrade_version != '' }} - id: kind-params - shell: bash - run: | - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - echo params="\"\" 3 \"\" \"\" ${{ matrix.kube-proxy }} $IP_FAM" >> $GITHUB_OUTPUT - - - name: Provision K8s on LVH VM - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/lvh-kind - with: - test-name: e2e-conformance - kernel: ${{ matrix.kernel }} - kind-params: "${{ steps.kind-params.outputs.params }}" - kind-image: ${{ env.KIND_K8S_IMAGE }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: untrusted/cilium-newest - sparse-checkout: | - install/kubernetes/cilium - - - name: Checkout ${{ steps.vars.outputs.downgrade_version }} branch to get the Helm chart - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.downgrade_version }} - persist-credentials: false - path: untrusted/cilium-downgrade - sparse-checkout: | - install/kubernetes/cilium - - - name: Wait for images to be available - if: ${{ steps.vars.outputs.downgrade_version != '' }} - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium ${{ steps.vars.outputs.downgrade_version }} (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - shell: bash - run: | - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - kubectl create -n kube-system secret generic cilium-ipsec-keys \ - --from-literal=keys="3+ rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - mkdir -p cilium-junits - - CILIUM_CLI_MODE=helm ./cilium-cli install \ - ${{ steps.cilium-stable-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - # TODO: After Cilium 1.15 release, update to cilium-dbg - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium status - - - name: Setup conn-disrupt-test before upgrading (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/conn-disrupt-test-setup - - - name: Upgrade Cilium (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - shell: bash - run: | - CILIUM_CLI_MODE=helm ./cilium-cli upgrade \ - ${{ steps.cilium-newest-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status - - - name: Run tests after upgrading (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/conn-disrupt-test-check - with: - job-name: cilium-upgrade-${{ matrix.name }} - full-test: 'true' - - - name: Setup conn-disrupt-test before downgrading - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/conn-disrupt-test-setup - - - name: Downgrade Cilium to ${{ steps.vars.outputs.downgrade_version }} (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - shell: bash - run: | - CILIUM_CLI_MODE=helm ./cilium-cli upgrade \ - ${{ steps.cilium-stable-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - # TODO: After Cilium 1.15 release, update to cilium-dbg - kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium status - - - name: Check conn-disrupt-test after downgrading - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/conn-disrupt-test-check - with: - job-name: cilium-downgrade-${{ matrix.name }} - full-test: 'true' - - - name: Fetch artifacts - if: ${{ steps.vars.outputs.downgrade_version != '' && !success() }} - shell: bash - run: | - kubectl get pods --all-namespaces -o wide - ./cilium-cli status - mkdir -p cilium-sysdumps - ./cilium-cli sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - - - name: Upload artifacts - if: ${{ steps.vars.outputs.downgrade_version != '' && !success() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps-${{ matrix.config }}-${{ matrix.mode }} - path: cilium-sysdump-*.zip - - - name: Upload JUnits [junit] - if: ${{ steps.vars.outputs.downgrade_version != '' && always() }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits-${{ matrix.config }}-${{ matrix.mode }} - path: cilium-junits/*.xml - - - name: Publish Test Results As GitHub Summary - if: ${{ steps.vars.outputs.downgrade_version != '' && always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - merge-upload: - if: ${{ always() }} - name: Merge and Upload Artifacts - runs-on: ubuntu-latest - needs: setup-and-test - steps: - - name: Merge Sysdumps - if: ${{ needs.setup-and-test.result == 'failure' }} - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-sysdumps - pattern: cilium-sysdumps-* - retention-days: 5 - delete-merged: true - continue-on-error: true - - name: Merge JUnits - uses: actions/upload-artifact/merge@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - with: - name: cilium-junits - pattern: cilium-junits-* - retention-days: 5 - delete-merged: true - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-l4lb.yaml b/.github/workflows/tests-l4lb.yaml deleted file mode 100644 index 3eed97735f310..0000000000000 --- a/.github/workflows/tests-l4lb.yaml +++ /dev/null @@ -1,161 +0,0 @@ -name: Cilium L4LB XDP (ci-l4lb) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - v1.15 - - ft/v1.15/** - - 'renovate/v1.15-**' - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - -jobs: - echo-inputs: - if: ${{ github.event_name == 'workflow_dispatch' }} - name: Echo Workflow Dispatch Inputs - runs-on: ubuntu-22.04 - steps: - - name: Echo Workflow Dispatch Inputs - run: | - echo '${{ tojson(inputs) }}' - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - name: Setup & Test - # Ubuntu 22.04 runner uses cgroup v2-only which is needed for some - # our LB functionality - runs-on: ubuntu-22.04 - timeout-minutes: 45 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - echo sha=${SHA} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: pull-request - - - name: Wait for image to be available - timeout-minutes: 30 - shell: bash - run: | - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - - - name: Run LoadBalancing test - id: lb-test - run: | - cd ${{ github.workspace }}/test/l4lb && sudo ./test.sh ${{ env.QUAY_ORGANIZATION_DEV }} ${{ steps.vars.outputs.sha }} - - - name: Run NAT46x64 test - run: | - cd ${{ github.workspace }}/test/nat46x64 && sudo ./test.sh ${{ env.QUAY_ORGANIZATION_DEV }} ${{ steps.vars.outputs.sha }} - - - name: Fetch DinD information - if: ${{ !success() && steps.lb-test.outcome != 'skipped' }} - run: | - docker ps -a - docker logs lb-node - docker inspect lb-node - docker exec -t lb-node docker ps - - - name: Fetch Cilium Standalone LB logs - if: ${{ !success() && steps.lb-test.outcome != 'skipped' }} - run: | - docker exec -t lb-node docker logs cilium-lb - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-smoke-ipv6.yaml b/.github/workflows/tests-smoke-ipv6.yaml deleted file mode 100644 index c40b162afe8eb..0000000000000 --- a/.github/workflows/tests-smoke-ipv6.yaml +++ /dev/null @@ -1,177 +0,0 @@ -name: Smoke Test with IPv6 - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - v1.15 - - ft/v1.15/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - KIND_CONFIG: .github/kind-config-ipv6.yaml - # Skip external traffic (e.g. 1.1.1.1 and www.google.com) due to no support for IPv6 in github action - CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check-internal.yaml - TIMEOUT: 5m - LOG_TIME: 30m - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-22.04 - outputs: - tested: ${{ steps.tested-tree.outputs.src }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Check code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: tested-tree - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - src: - - '!(test|Documentation)/**' - - conformance-test-ipv6: - needs: check_changes - if: ${{ needs.check_changes.outputs.tested == 'true' }} - runs-on: ubuntu-22.04 - name: Installation and Conformance Test (ipv6) - steps: - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.event.pull_request.head.sha }} - - - name: Set image tag - id: sha - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Precheck generated connectivity manifest files - run: | - make -C examples/kubernetes/connectivity-check fmt - make -C examples/kubernetes/connectivity-check all - test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) - - - name: Enable IPv6 in docker - run: | - sudo cat /etc/docker/daemon.json || true - # Keep existing config like cgroup-parent in github action - sudo sh -c "echo '{ \"exec-opts\": [\"native.cgroupdriver=cgroupfs\"], \"cgroup-parent\": \"/actions_job\", \"ipv6\": true, \"fixed-cidr-v6\": \"2001:db8:1::/64\" }' > /etc/docker/daemon.json" - sudo cat /etc/docker/daemon.json - sudo ip -6 route add 2001:db8:1::/64 dev docker0 - sudo sysctl net.ipv6.conf.default.forwarding=1 - sudo sysctl net.ipv6.conf.all.forwarding=1 - sudo systemctl restart docker - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.KIND_CONFIG }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.sha.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Set up install variables - id: vars - run: | - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set nodeinit.enabled=true \ - --helm-set kubeProxyReplacement=true \ - --helm-set ipam.mode=kubernetes \ - --helm-set hubble.enabled=true \ - --helm-set hubble.relay.enabled=true \ - --helm-set ipv6.enabled=true \ - --helm-set ipv4.enabled=false \ - --helm-set routingMode=native \ - --helm-set autoDirectNodeRoutes=true \ - --helm-set ipv6NativeRoutingCIDR=2001:db8:1::/64 \ - --helm-set ingressController.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Run conformance test (e.g. connectivity check without external 1.1.1.1 and www.google.com) - run: | - kubectl apply -f ${{ env.CONFORMANCE_TEMPLATE }} - kubectl wait --for=condition=Available --all deployment --timeout=${{ env.TIMEOUT }} - - - name: Report cluster failure status and capture cilium-sysdump - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - # The following is needed to prevent hubble from receiving an empty - # file (EOF) on stdin and displaying no flows. - shell: 'script -q -e -c "bash --noprofile --norc -eo pipefail {0}"' - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - - - name: Upload cilium-sysdump - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - if: ${{ failure() }} - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip diff --git a/.github/workflows/tests-smoke.yaml b/.github/workflows/tests-smoke.yaml deleted file mode 100644 index 345003b5f9b94..0000000000000 --- a/.github/workflows/tests-smoke.yaml +++ /dev/null @@ -1,211 +0,0 @@ -name: Smoke Test - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - v1.15 - - ft/v1.15/** - merge_group: - types: [checks_requested] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -env: - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - KIND_CONFIG: .github/kind-config.yaml - CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check.yaml - TIMEOUT: 2m - LOG_TIME: 30m - PROM_VERSION: 2.34.0 - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-22.04 - outputs: - tested: ${{ steps.tested-tree.outputs.src }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - fetch-depth: 0 - - name: Check code changes - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: tested-tree - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - src: - - '!(test|Documentation)/**' - - preflight-clusterrole: - runs-on: ubuntu-latest - name: Preflight Clusterrole Check - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Check pre-flight clusterrole - run: make check-k8s-clusterrole - - helm-charts: - runs-on: ubuntu-latest - name: Helm Charts Check - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Run helm-charts - run: | - make -C install/kubernetes - test -z "$(git status --porcelain)" || (echo "please run 'make -C install/kubernetes' and submit your changes"; exit 1) - - git rm --ignore-unmatch install/kubernetes/cilium/values.schema.json - test -z "$(git status --porcelain)" || (echo "please delete 'install/kubernetes/cilium/values.schema.json' and submit your changes"; exit 1) - - conformance-test: - needs: check_changes - if: ${{ needs.check_changes.outputs.tested == 'true' && github.event_name != 'merge_group' }} - runs-on: ubuntu-latest - name: Installation and Conformance Test - steps: - - name: Checkout target branch to access local actions - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.base_ref || github.ref }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.event.pull_request.head.sha }} - - - name: Set image tag - id: sha - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Precheck generated connectivity manifest files - run: | - make -C examples/kubernetes/connectivity-check fmt - make -C examples/kubernetes/connectivity-check all - test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) - - - name: Create kind cluster - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 - with: - version: ${{ env.KIND_VERSION }} - node_image: ${{ env.KIND_K8S_IMAGE }} - kubectl_version: ${{ env.KIND_K8S_VERSION }} - config: ${{ env.KIND_CONFIG }} - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.sha.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Set up install variables - id: vars - run: | - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set nodeinit.enabled=true \ - --helm-set kubeProxyReplacement=true \ - --helm-set ipam.mode=kubernetes \ - --helm-set hubble.relay.enabled=true \ - --helm-set prometheus.enabled=true \ - --helm-set operator.prometheus.enabled=true \ - --helm-set hubble.enabled=true \ - --helm-set=hubble.metrics.enabled=\"{dns,drop,tcp,flow,port-distribution,icmp,http}\" \ - --helm-set ingressController.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e # v0.16.13 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Run conformance test (e.g. connectivity check) - run: | - kubectl apply -f ${{ env.CONFORMANCE_TEMPLATE }} - kubectl wait --for=condition=Available --all deployment --timeout=${{ env.TIMEOUT }} - - - name: Check prometheus metrics - if: ${{ success() }} - run: | - cd $HOME - cilium_pod=$(kubectl -n kube-system get po -o name --field-selector=status.phase==Running -l 'k8s-app=cilium' -o jsonpath='{.items[0].metadata.name}' ) - kubectl -n kube-system exec $cilium_pod -- sh -c "apt update && apt install curl -y" - kubectl -n kube-system exec $cilium_pod -- curl http://localhost:9962/metrics > metrics.prom - # Install promtool binary release. `go install` doesn't work due to - # https://github.com/prometheus/prometheus/issues/8852 and related issues. - curl -sSL --remote-name-all https://github.com/prometheus/prometheus/releases/download/v${PROM_VERSION}/{prometheus-${PROM_VERSION}.linux-amd64.tar.gz,sha256sums.txt} - sha256sum --check --ignore-missing sha256sums.txt - tar xzvf prometheus-${PROM_VERSION}.linux-amd64.tar.gz prometheus-${PROM_VERSION}.linux-amd64/promtool - rm -f prometheus-${PROM_VERSION}.linux-amd64.tar.gz - sudo mv prometheus-${PROM_VERSION}.linux-amd64/promtool /usr/bin - cat metrics.prom | promtool check metrics - - - name: Report cluster failure status and capture cilium-sysdump - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - # The following is needed to prevent hubble from receiving an empty - # file (EOF) on stdin and displaying no flows. - shell: 'script -q -e -c "bash --noprofile --norc -eo pipefail {0}"' - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - - - name: Upload cilium-sysdump - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 - if: ${{ failure() }} - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip diff --git a/.github/workflows/update-label-backport-pr.yaml b/.github/workflows/update-label-backport-pr.yaml deleted file mode 100644 index f2a6e2d2d184d..0000000000000 --- a/.github/workflows/update-label-backport-pr.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- - # A reusable workflow designed to be called from the context of a specific - # branch whenever a backport PR is merged. The workflow scans the backport PR - # body to get the list of the backported PRs and updates their labels, replacing - # all "backport-pending/" with "backport-done/". - name: Update labels of backported PRs - on: - workflow_call: - inputs: - pr-body: - required: true - type: string - description: "The PR description containing all the references to the backported PRs." - branch: - required: true - type: string - description: "The stable branch version." - - jobs: - backport-label-updater: - name: Update labels of backported PRs - runs-on: ubuntu-latest - permissions: - pull-requests: write # Adding and removing labels - env: - body: ${{ inputs.pr-body }} - steps: - - name: Pre-process PR body - id: pre-process - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - const { body } = process.env - return body.replace(/\'/g, '') - .replace(/"/g, '') - .replace(/`/g, '') - .replace(/$/g, '') - result-encoding: string - - - name: Update labels - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - echo "${{steps.pre-process.outputs.result}}" | sed -En "/upstream-prs/ { n; p }" | cut -d ';' -f 1 | grep -Eo '[0-9]+' | while read -r pr; do - echo "Removing label backport-pending/${{ inputs.branch }} from pr #${pr}." - gh pr edit ${pr} --repo "${GITHUB_REPOSITORY}" --remove-label backport-pending/${{ inputs.branch }} - echo "Adding label backport-done/${{ inputs.branch }} to pr #${pr}." - gh pr edit ${pr} --repo "${GITHUB_REPOSITORY}" --add-label backport-done/${{ inputs.branch }} - done