Talos Conformance #208
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Talos Conformance | |
on: | |
schedule: | |
# Run weekly. | |
- cron: '0 9 * * 1' | |
pull_request: | |
paths: | |
- '.github/workflows/conformance.yml' | |
workflow_dispatch: | |
jobs: | |
setup-and-test: | |
runs-on: ubuntu-22.04 | |
permissions: | |
id-token: write | |
contents: read | |
strategy: | |
fail-fast: false | |
max-parallel: 6 | |
matrix: | |
cilium: | |
# renovate: datasource=github-releases depName=cilium/cilium | |
- '1.16.3' | |
# renovate: datasource=github-releases depName=cilium/cilium | |
- '1.15.10' | |
# renovate: datasource=github-releases depName=cilium/cilium | |
- '1.14.16' | |
talos: | |
# renovate: datasource=github-releases depName=siderolabs/talos | |
- 'v1.8.2' | |
# renovate: datasource=github-releases depName=siderolabs/talos | |
- 'v1.7.7' | |
config: | |
- name: 'Vanilla' | |
kube-proxy: false | |
kube-proxy-replacement: "true" | |
socketlb: false | |
bpf-masquerade: true | |
ipam-mode: 'kubernetes' | |
ipv4: true | |
ipv6: false | |
encryption-enabled: false | |
encryption-type: ipsec | |
tunnel-mode: vxlan | |
nodeport: true | |
ingress-controller: true | |
- name: 'Wireguard' | |
kube-proxy: true | |
kube-proxy-replacement: "true" | |
socketlb: false | |
bpf-masquerade: true | |
ipam-mode: 'kubernetes' | |
ipv4: true | |
ipv6: false | |
encryption-enabled: true | |
encryption-type: wireguard | |
tunnel-mode: vxlan | |
nodeport: true | |
ingress-controller: true | |
- name: 'IPSEC' | |
kube-proxy: true | |
kube-proxy-replacement: "false" | |
socketlb: true | |
bpf-masquerade: false | |
ipam-mode: 'kubernetes' | |
ipv4: true | |
ipv6: false | |
encryption-enabled: true | |
encryption-type: ipsec | |
tunnel-mode: vxlan | |
nodeport: false | |
ingress-controller: false | |
- name: 'No KPR and w/ BPF Masq' | |
kube-proxy: true | |
kube-proxy-replacement: "false" | |
socketlb: true | |
bpf-masquerade: true | |
ipam-mode: 'kubernetes' | |
ipv4: true | |
ipv6: false | |
encryption-enabled: false | |
tunnel-mode: vxlan | |
nodeport: true | |
ingress-controller: true | |
- name: 'Clusterpool IPAM Mode' | |
kube-proxy: false | |
kube-proxy-replacement: "true" | |
socketlb: false | |
bpf-masquerade: true | |
ipam-mode: 'cluster-pool' | |
ipv4: true | |
ipv6: false | |
encryption-enabled: false | |
encryption-type: ipsec | |
tunnel-mode: vxlan | |
nodeport: true | |
ingress-controller: true | |
- name: 'With Geneve Tunnel' | |
kube-proxy: false | |
kube-proxy-replacement: "true" | |
socketlb: false | |
bpf-masquerade: true | |
ipam-mode: 'kubernetes' | |
ipv4: true | |
ipv6: false | |
encryption-enabled: false | |
encryption-type: ipsec | |
tunnel-mode: geneve | |
nodeport: true | |
ingress-controller: true | |
steps: | |
- name: Checkout | |
uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Configure AWS credentials from shared services account | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: arn:aws:iam::478566851380:role/TalosConformanceCI | |
aws-region: us-east-2 | |
- uses: hashicorp/setup-terraform@v3 | |
- name: Create Talos Cluster | |
run: | | |
cd test/conformance | |
./create-ci-env.sh \ | |
--kube-proxy ${{ matrix.config.kube-proxy}} \ | |
--talos-version ${{ matrix.talos }} \ | |
--test $(echo "${{ matrix.config.name }}" | sed 's/ /_/g') \ | |
--run-id ${{ github.run_id }} \ | |
--run-no ${{ github.run_number }} \ | |
--cilium-version ${{ matrix.cilium }} \ | |
--owner "isovalent/terraform-aws-talos" | |
make apply | |
- name: Install Cilium CLI | |
uses: cilium/cilium-cli@3286926bbf80fdd0103a372256459e577224f9f6 # v0.16.20 | |
with: | |
repository: cilium/cilium-cli | |
release-version: v0.15.20 | |
ci-version: "" | |
binary-name: cilium-cli | |
binary-dir: /usr/local/bin | |
- name: Install Cilium | |
run: | | |
cd test/conformance | |
timeout 120 bash -c "until curl -sS https://$(terraform output -raw elb_dns_name):443 -k -m 3; do sleep 1 && echo 'waiting for apiserver'; done" | |
if [ $? -ne 0 ]; then | |
echo "API Server LB failed to become available." | |
exit 1 | |
fi | |
# Wait another few seconds as we have multiple LB backend endpoints | |
sleep 10 | |
export $(make print-kubeconfig) | |
kubectl create -n kube-system secret generic cilium-ipsec-keys \ | |
--from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" | |
kubectl create -n kube-system -f ipmasq-config.yaml | |
cilium-cli install --version="v${{ matrix.cilium }}" \ | |
--values=values.yaml \ | |
--set ipv4.enabled=${{ matrix.config.ipv4 }} \ | |
--set ipv6.enabled=${{ matrix.config.ipv6 }} \ | |
--set bpf.masquerade=${{ matrix.config.bpf-masquerade }} \ | |
--set kubeProxyReplacement=${{ matrix.config.kube-proxy-replacement }} \ | |
--set socketLB.enabled=${{ matrix.config.socketlb }} \ | |
--set ipam.mode=${{ matrix.config.ipam-mode }} \ | |
--set ingressController.enabled=${{ matrix.config.ingress-controller }} \ | |
--set encryption.enabled=${{ matrix.config.encryption-enabled }} \ | |
--set encryption.type=${{ matrix.config.encryption-type }} \ | |
--set tunnelProtocol=${{ matrix.config.tunnel-mode }} \ | |
--set nodePort.enabled=${{ matrix.config.nodeport }} | |
cilium-cli status --wait | |
- name: Run E2E Connectivity Tests | |
run: | | |
cd test/conformance | |
export $(make print-kubeconfig) | |
./wait | |
kubectl create ns cilium-test | |
kubectl label ns cilium-test pod-security.kubernetes.io/enforce=privileged | |
kubectl label ns cilium-test pod-security.kubernetes.io/warn=privileged | |
cilium-cli connectivity test --collect-sysdump-on-failure | |
- name: Fetch artifacts | |
if: ${{ !success() && steps.run-tests.outcome != 'skipped' }} | |
shell: bash | |
run: | | |
cd test/conformance | |
export $(make print-kubeconfig) | |
kubectl get svc -o wide -A | |
kubectl get pods --all-namespaces -o wide | |
cilium-cli status | |
mkdir -p cilium-sysdumps | |
cilium-cli sysdump --output-filename cilium-sysdump-${{ github.run_id }}-${{ github.run_number }} | |
- name: Upload artifacts | |
if: ${{ !success() }} | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: cilium-sysdumps-${{ github.run_id }}-${{ github.run_number }} | |
path: ./test/conformance/cilium-sysdump-*.zip | |
- name: Cleanup | |
if: always() | |
run: | | |
cd test/conformance | |
make destroy | |
finalize: | |
runs-on: ubuntu-22.04 | |
if: always() | |
permissions: | |
id-token: write | |
contents: read | |
needs: setup-and-test | |
steps: | |
- name: Send notification | |
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
with: | |
channel-id: 'C02T57KV69Y' | |
slack-message: "Talos AWS Terraform: <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ needs.setup-and-test.result == 'success' && 'workflow passed!> :tada::tada::tada:' || 'workflow failed!> :rotating_light::rotating_light::rotating_light:' }}" | |