Skip to content

Talos Conformance

Talos Conformance #208

Workflow file for this run

name: Talos Conformance
on:
schedule:
# Run weekly.
- cron: '0 9 * * 1'
pull_request:
paths:
- '.github/workflows/conformance.yml'
workflow_dispatch:
jobs:
setup-and-test:
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: read
strategy:
fail-fast: false
max-parallel: 6
matrix:
cilium:
# renovate: datasource=github-releases depName=cilium/cilium
- '1.16.3'
# renovate: datasource=github-releases depName=cilium/cilium
- '1.15.10'
# renovate: datasource=github-releases depName=cilium/cilium
- '1.14.16'
talos:
# renovate: datasource=github-releases depName=siderolabs/talos
- 'v1.8.2'
# renovate: datasource=github-releases depName=siderolabs/talos
- 'v1.7.7'
config:
- name: 'Vanilla'
kube-proxy: false
kube-proxy-replacement: "true"
socketlb: false
bpf-masquerade: true
ipam-mode: 'kubernetes'
ipv4: true
ipv6: false
encryption-enabled: false
encryption-type: ipsec
tunnel-mode: vxlan
nodeport: true
ingress-controller: true
- name: 'Wireguard'
kube-proxy: true
kube-proxy-replacement: "true"
socketlb: false
bpf-masquerade: true
ipam-mode: 'kubernetes'
ipv4: true
ipv6: false
encryption-enabled: true
encryption-type: wireguard
tunnel-mode: vxlan
nodeport: true
ingress-controller: true
- name: 'IPSEC'
kube-proxy: true
kube-proxy-replacement: "false"
socketlb: true
bpf-masquerade: false
ipam-mode: 'kubernetes'
ipv4: true
ipv6: false
encryption-enabled: true
encryption-type: ipsec
tunnel-mode: vxlan
nodeport: false
ingress-controller: false
- name: 'No KPR and w/ BPF Masq'
kube-proxy: true
kube-proxy-replacement: "false"
socketlb: true
bpf-masquerade: true
ipam-mode: 'kubernetes'
ipv4: true
ipv6: false
encryption-enabled: false
tunnel-mode: vxlan
nodeport: true
ingress-controller: true
- name: 'Clusterpool IPAM Mode'
kube-proxy: false
kube-proxy-replacement: "true"
socketlb: false
bpf-masquerade: true
ipam-mode: 'cluster-pool'
ipv4: true
ipv6: false
encryption-enabled: false
encryption-type: ipsec
tunnel-mode: vxlan
nodeport: true
ingress-controller: true
- name: 'With Geneve Tunnel'
kube-proxy: false
kube-proxy-replacement: "true"
socketlb: false
bpf-masquerade: true
ipam-mode: 'kubernetes'
ipv4: true
ipv6: false
encryption-enabled: false
encryption-type: ipsec
tunnel-mode: geneve
nodeport: true
ingress-controller: true
steps:
- name: Checkout
uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Configure AWS credentials from shared services account
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::478566851380:role/TalosConformanceCI
aws-region: us-east-2
- uses: hashicorp/setup-terraform@v3
- name: Create Talos Cluster
run: |
cd test/conformance
./create-ci-env.sh \
--kube-proxy ${{ matrix.config.kube-proxy}} \
--talos-version ${{ matrix.talos }} \
--test $(echo "${{ matrix.config.name }}" | sed 's/ /_/g') \
--run-id ${{ github.run_id }} \
--run-no ${{ github.run_number }} \
--cilium-version ${{ matrix.cilium }} \
--owner "isovalent/terraform-aws-talos"
make apply
- name: Install Cilium CLI
uses: cilium/cilium-cli@3286926bbf80fdd0103a372256459e577224f9f6 # v0.16.20
with:
repository: cilium/cilium-cli
release-version: v0.15.20
ci-version: ""
binary-name: cilium-cli
binary-dir: /usr/local/bin
- name: Install Cilium
run: |
cd test/conformance
timeout 120 bash -c "until curl -sS https://$(terraform output -raw elb_dns_name):443 -k -m 3; do sleep 1 && echo 'waiting for apiserver'; done"
if [ $? -ne 0 ]; then
echo "API Server LB failed to become available."
exit 1
fi
# Wait another few seconds as we have multiple LB backend endpoints
sleep 10
export $(make print-kubeconfig)
kubectl create -n kube-system secret generic cilium-ipsec-keys \
--from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128"
kubectl create -n kube-system -f ipmasq-config.yaml
cilium-cli install --version="v${{ matrix.cilium }}" \
--values=values.yaml \
--set ipv4.enabled=${{ matrix.config.ipv4 }} \
--set ipv6.enabled=${{ matrix.config.ipv6 }} \
--set bpf.masquerade=${{ matrix.config.bpf-masquerade }} \
--set kubeProxyReplacement=${{ matrix.config.kube-proxy-replacement }} \
--set socketLB.enabled=${{ matrix.config.socketlb }} \
--set ipam.mode=${{ matrix.config.ipam-mode }} \
--set ingressController.enabled=${{ matrix.config.ingress-controller }} \
--set encryption.enabled=${{ matrix.config.encryption-enabled }} \
--set encryption.type=${{ matrix.config.encryption-type }} \
--set tunnelProtocol=${{ matrix.config.tunnel-mode }} \
--set nodePort.enabled=${{ matrix.config.nodeport }}
cilium-cli status --wait
- name: Run E2E Connectivity Tests
run: |
cd test/conformance
export $(make print-kubeconfig)
./wait
kubectl create ns cilium-test
kubectl label ns cilium-test pod-security.kubernetes.io/enforce=privileged
kubectl label ns cilium-test pod-security.kubernetes.io/warn=privileged
cilium-cli connectivity test --collect-sysdump-on-failure
- name: Fetch artifacts
if: ${{ !success() && steps.run-tests.outcome != 'skipped' }}
shell: bash
run: |
cd test/conformance
export $(make print-kubeconfig)
kubectl get svc -o wide -A
kubectl get pods --all-namespaces -o wide
cilium-cli status
mkdir -p cilium-sysdumps
cilium-cli sysdump --output-filename cilium-sysdump-${{ github.run_id }}-${{ github.run_number }}
- name: Upload artifacts
if: ${{ !success() }}
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
with:
name: cilium-sysdumps-${{ github.run_id }}-${{ github.run_number }}
path: ./test/conformance/cilium-sysdump-*.zip
- name: Cleanup
if: always()
run: |
cd test/conformance
make destroy
finalize:
runs-on: ubuntu-22.04
if: always()
permissions:
id-token: write
contents: read
needs: setup-and-test
steps:
- name: Send notification
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: 'C02T57KV69Y'
slack-message: "Talos AWS Terraform: <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ needs.setup-and-test.result == 'success' && 'workflow passed!> :tada::tada::tada:' || 'workflow failed!> :rotating_light::rotating_light::rotating_light:' }}"