cilium

1
name: Conformance Gateway API (ci-gateway-api)
2

3
# Any change in triggers needs to be reflected in the concurrency group.
4
on:
5
  workflow_dispatch:
6
    inputs:
7
      PR-number:
8
        description: "Pull request number."
9
        required: true
10
      context-ref:
11
        description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)."
12
        required: true
13
      SHA:
14
        description: "SHA under test (head of the PR branch)."
15
        required: true
16
      extra-args:
17
        description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow."
18
        required: false
19
        default: '{}'
20

21
  push:
22
    branches:
23
      - main
24
      - ft/main/**
25
    paths-ignore:
26
      - 'Documentation/**'
27
      - 'test/**'
28

29
# By specifying the access of one of the scopes, all of those that are not
30
# specified are set to 'none'.
31
permissions:
32
  # To be able to access the repository with actions/checkout
33
  contents: read
34
  # To allow retrieving information from the PR API
35
  pull-requests: read
36
  # To be able to set commit status
37
  statuses: write
38

39
concurrency:
40
  # Structure:
41
  # - Workflow name
42
  # - Event type
43
  # - A unique identifier depending on event type:
44
  #   - schedule: SHA
45
  #   - workflow_dispatch: PR number
46
  #
47
  # This structure ensures a unique concurrency group name is generated for each
48
  # type of testing, such that re-runs will cancel the previous run.
49
  group: |
50
    ${{ github.workflow }}
51
    ${{ github.event_name }}
52
    ${{
53
      (github.event_name == 'push' && github.sha) ||
54
      (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number)
55
    }}
56
  cancel-in-progress: true
57

58
env:
59
  cilium_cli_ci_version:
60
  CILIUM_CLI_MODE: helm
61
  # renovate: datasource=github-releases depName=kubernetes-sigs/kind
62
  kind_version: v0.22.0
63
  kind_config: .github/kind-config.yaml
64
  gateway_api_version: v1.0.0
65
  timeout: 5m
66

67
jobs:
68
  commit-status-start:
69
    if: ${{ github.event_name != 'push' }}
70
    name: Commit Status Start
71
    runs-on: ubuntu-latest
72
    steps:
73
      - name: Set initial commit status
74
        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
75
        with:
76
          sha: ${{ inputs.SHA || github.sha }}
77

78
  gateway-api-conformance-test:
79
    name: Gateway API Conformance Test
80
    runs-on: ubuntu-latest
81
    timeout-minutes: 120
82
    strategy:
83
      fail-fast: false
84
      matrix:
85
        include:
86
        - crd-channel: experimental
87
          conformance-profile: false
88
        - crd-channel: standard
89
          conformance-profile: false
90
        - crd-channel: experimental
91
          conformance-profile: true
92
    steps:
93
      - name: Checkout context ref (trusted)
94
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
95
        with:
96
          ref: ${{ inputs.context-ref || github.sha }}
97
          persist-credentials: false
98

99
      - name: Set Environment Variables
100
        uses: ./.github/actions/set-env-variables
101

102
      - name: Install Cilium CLI
103
        uses: cilium/cilium-cli@7306e3cdc6caee738157f08e3e1ba26179f104e5 # v0.15.23
104
        with:
105
          repository: ${{ env.CILIUM_CLI_RELEASE_REPO }}
106
          release-version: ${{ env.CILIUM_CLI_VERSION }}
107
          ci-version: ${{ env.cilium_cli_ci_version }}
108

109
      - name: Get Cilium's default values
110
        id: default_vars
111
        uses: ./.github/actions/helm-default
112
        with:
113
          image-tag: ${{ inputs.SHA }}
114
          chart-dir: ./untrusted/install/kubernetes/cilium
115

116
      - name: Set image tag
117
        id: vars
118
        run: |
119
          echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT
120
          
121
          EXEMPT_FEATURES="GatewayPort8080,GatewayStaticAddresses,Mesh"
122
          if [ ${{ matrix.crd-channel }} == "standard" ]; then
123
            EXEMPT_FEATURES+=",HTTPRouteParentRefPort,HTTPRouteDestinationPortMatching,HTTPRouteRequestTimeout,HTTPRouteBackendTimeout"
124
          fi
125

126
          CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \
127
            --helm-set=debug.verbose=envoy \
128
            --helm-set kubeProxyReplacement=true \
129
            --helm-set=gatewayAPI.enabled=true \
130
            --helm-set=l2announcements.enabled=true \
131
            --helm-set=devices='{eth0}'"
132

133
          echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT
134
          echo skipped_tests=${SKIPPED_TESTS} >> $GITHUB_OUTPUT
135
          echo exempt-features=${EXEMPT_FEATURES} >> $GITHUB_OUTPUT
136

137
      # Warning: since this is a privileged workflow, subsequent workflow job
138
      # steps must take care not to execute untrusted code.
139
      - name: Checkout pull request branch (NOT TRUSTED)
140
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
141
        with:
142
          ref: ${{ steps.vars.outputs.sha }}
143
          persist-credentials: false
144
          path: untrusted
145
          sparse-checkout: |
146
            install/kubernetes/cilium
147
            examples
148

149
      - name: Create kind cluster
150
        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
151
        with:
152
          version: ${{ env.kind_version }}
153
          config: ${{ env.kind_config }}
154

155
      - name: Install Go
156
        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
157
        with:
158
          # renovate: datasource=golang-version depName=go
159
          go-version: 1.22.0
160

161
      - name: Wait for images to be available
162
        timeout-minutes: 30
163
        shell: bash
164
        run: |
165
          for image in cilium-ci operator-generic-ci ; do
166
            until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
167
          done
168

169
      - name: Install Gateway API CRDs
170
        run: |
171
          # Install Gateway CRDs
172
          kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gatewayclasses.yaml
173
          kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gateways.yaml
174
          kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_httproutes.yaml
175
          kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_referencegrants.yaml
176
          ## TLSRoute is only available in experimental channel in v0.7.0
177
          kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
178
          kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml
179

180
          # To make sure that Gateway API CRs are available
181
          kubectl wait --for condition=Established crd/gatewayclasses.gateway.networking.k8s.io --timeout=${{ env.timeout }}
182
          kubectl wait --for condition=Established crd/gateways.gateway.networking.k8s.io --timeout=${{ env.timeout }}
183
          kubectl wait --for condition=Established crd/httproutes.gateway.networking.k8s.io --timeout=${{ env.timeout }}
184
          kubectl wait --for condition=Established crd/tlsroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }}
185
          kubectl wait --for condition=Established crd/grpcroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }}
186
          kubectl wait --for condition=Established crd/referencegrants.gateway.networking.k8s.io --timeout=${{ env.timeout }}
187

188
      - name: Install Cilium
189
        id: install-cilium
190
        run: |
191
          cilium install ${{ steps.vars.outputs.cilium_install_defaults }}
192

193
      - name: Wait for Cilium status to be ready
194
        run: |
195
          cilium status --wait
196
          kubectl -n kube-system get pods
197

198
      - name: Install Cilium LB IPPool and L2 Announcement Policy
199
        timeout-minutes: 10
200
        run: |
201
          KIND_NET_CIDR=$(docker network inspect kind -f '{{(index .IPAM.Config 0).Subnet}}')
202
          LB_CIDR=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200/28@")
203

204
          echo "Deploying LB-IPAM Pool..."
205
          cat << EOF > pool.yaml
206
          apiVersion: "cilium.io/v2alpha1"
207
          kind: CiliumLoadBalancerIPPool
208
          metadata:
209
            name: "pool"
210
          spec:
211
            cidrs:
212
              - cidr: "$LB_CIDR"
213
          EOF
214
          kubectl apply -f pool.yaml
215
          
216
          echo "Deploying L2-Announcement Policy..."
217
          cat << 'EOF' > l2policy.yaml
218
          apiVersion: "cilium.io/v2alpha1"
219
          kind: CiliumL2AnnouncementPolicy
220
          metadata:
221
            name: l2policy
222
          spec:
223
            loadBalancerIPs: true
224
            interfaces:
225
              - eth0
226
            nodeSelector:
227
              matchExpressions:
228
                - key: node-role.kubernetes.io/control-plane
229
                  operator: DoesNotExist
230
          EOF
231
          kubectl apply -f l2policy.yaml
232

233
      - name: Run simple Gateway API GRPCRoute test (temporary till upstream conformance tests)
234
        timeout-minutes: 10
235
        run: |
236
          kubectl apply -f untrusted/examples/kubernetes/gateway/grpc-route.yaml
237
          # Install grpcurl binary
238
          go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest
239
          
240
          # Wait for the deployment
241
          kubectl wait --for=condition=Available --all deployment --timeout=${{ env.timeout }}
242
          lb=$(kubectl get services cilium-gateway-grpc -o json | jq '.status.loadBalancer.ingress[0].ip' | jq -r .)
243
          grpcurl -plaintext -authority=my-grpc-service.foo.com $lb:80 yages.Echo/Ping
244
          curl -s -v --fail $lb/yages.Echo/Ping \
245
            -XPOST \
246
            -H 'Host: my-grpc-service.foo.com' \
247
            -H 'Content-Type: application/grpc-web-text' \
248
            -H 'Accept: application/grpc-web-text' \
249
            -d'AAAAAAA='
250

251
      - name: Run Gateway API conformance test
252
        timeout-minutes: 30
253
        run: |
254
          if [ ${{ matrix.conformance-profile }} == "true" ]; then
255
            GATEWAY_API_CONFORMANCE_TESTS=1 go test \
256
              -p 4 \
257
              -v ./operator/pkg/gateway-api \
258
              --gateway-class cilium \
259
              --all-features \
260
              --exempt-features "${{ steps.vars.outputs.exempt-features }}" \
261
              --conformance-profiles HTTP,TLS \
262
              --organization cilium \
263
              --project cilium \
264
              --url github.com/cilium/cilium \
265
              --version main \
266
              --contact https://github.com/cilium/community/blob/main/roles/Maintainers.md \
267
              --report-output report.yaml \
268
              -test.run "TestExperimentalConformance" \
269
              -test.skip "${{ steps.vars.outputs.skipped_tests }}"
270
          else
271
            GATEWAY_API_CONFORMANCE_TESTS=1 go test \
272
              -p 4 \
273
              -v ./operator/pkg/gateway-api \
274
              --gateway-class cilium \
275
              --all-features \
276
              --exempt-features "${{ steps.vars.outputs.exempt-features }}" \
277
              -test.run "TestConformance" \
278
              -test.skip "${{ steps.vars.outputs.skipped_tests }}"
279
          fi
280

281
      - name: Upload report artifacts
282
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
283
        with:
284
          name: report-${{ matrix.conformance-profile }}-${{ matrix.crd-channel }}.yaml
285
          path: operator/pkg/gateway-api/report.yaml
286
          retention-days: 5
287
          if-no-files-found: ignore
288

289
      - name: Post-test information gathering
290
        if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }}
291
        run: |
292
          kubectl get pods --all-namespaces -o wide
293
          cilium status
294
          cilium sysdump --output-filename cilium-sysdump-out-${{ join(matrix.*, '-') }}
295
        shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
296

297
      - name: Upload artifacts
298
        if: ${{ !success() }}
299
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
300
        with:
301
          name: cilium-sysdump-out-${{ matrix.conformance-profile }}-${{ matrix.crd-channel }}
302
          path: cilium-sysdump-out-*.zip
303
          retention-days: 5
304

305
  commit-status-final:
306
    if: ${{ always() && github.event_name != 'push' }}
307
    name: Commit Status Final
308
    needs: gateway-api-conformance-test
309
    runs-on: ubuntu-latest
310
    steps:
311
      - name: Set final commit status
312
        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0  
313
        with:
314
          sha: ${{ inputs.SHA || github.sha }}
315
          status: ${{ needs.gateway-api-conformance-test.result }}
316