1
name: Conformance Gateway API (ci-gateway-api)
3
# Any change in triggers needs to be reflected in the concurrency group.
8
description: "Pull request number."
11
description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)."
14
description: "SHA under test (head of the PR branch)."
17
description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow."
29
# By specifying the access of one of the scopes, all of those that are not
30
# specified are set to 'none'.
32
# To be able to access the repository with actions/checkout
34
# To allow retrieving information from the PR API
36
# To be able to set commit status
43
# - A unique identifier depending on event type:
45
# - workflow_dispatch: PR number
47
# This structure ensures a unique concurrency group name is generated for each
48
# type of testing, such that re-runs will cancel the previous run.
50
${{ github.workflow }}
51
${{ github.event_name }}
53
(github.event_name == 'push' && github.sha) ||
54
(github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number)
56
cancel-in-progress: true
59
cilium_cli_ci_version:
61
# renovate: datasource=github-releases depName=kubernetes-sigs/kind
63
kind_config: .github/kind-config.yaml
64
gateway_api_version: v1.0.0
69
if: ${{ github.event_name != 'push' }}
70
name: Commit Status Start
71
runs-on: ubuntu-latest
73
- name: Set initial commit status
74
uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
76
sha: ${{ inputs.SHA || github.sha }}
78
gateway-api-conformance-test:
79
name: Gateway API Conformance Test
80
runs-on: ubuntu-latest
86
- crd-channel: experimental
87
conformance-profile: false
88
- crd-channel: standard
89
conformance-profile: false
90
- crd-channel: experimental
91
conformance-profile: true
93
- name: Checkout context ref (trusted)
94
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
96
ref: ${{ inputs.context-ref || github.sha }}
97
persist-credentials: false
99
- name: Set Environment Variables
100
uses: ./.github/actions/set-env-variables
102
- name: Install Cilium CLI
103
uses: cilium/cilium-cli@7306e3cdc6caee738157f08e3e1ba26179f104e5 # v0.15.23
105
repository: ${{ env.CILIUM_CLI_RELEASE_REPO }}
106
release-version: ${{ env.CILIUM_CLI_VERSION }}
107
ci-version: ${{ env.cilium_cli_ci_version }}
109
- name: Get Cilium's default values
111
uses: ./.github/actions/helm-default
113
image-tag: ${{ inputs.SHA }}
114
chart-dir: ./untrusted/install/kubernetes/cilium
116
- name: Set image tag
119
echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT
121
EXEMPT_FEATURES="GatewayPort8080,GatewayStaticAddresses,Mesh"
122
if [ ${{ matrix.crd-channel }} == "standard" ]; then
123
EXEMPT_FEATURES+=",HTTPRouteParentRefPort,HTTPRouteDestinationPortMatching,HTTPRouteRequestTimeout,HTTPRouteBackendTimeout"
126
CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \
127
--helm-set=debug.verbose=envoy \
128
--helm-set kubeProxyReplacement=true \
129
--helm-set=gatewayAPI.enabled=true \
130
--helm-set=l2announcements.enabled=true \
131
--helm-set=devices='{eth0}'"
133
echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT
134
echo skipped_tests=${SKIPPED_TESTS} >> $GITHUB_OUTPUT
135
echo exempt-features=${EXEMPT_FEATURES} >> $GITHUB_OUTPUT
137
# Warning: since this is a privileged workflow, subsequent workflow job
138
# steps must take care not to execute untrusted code.
139
- name: Checkout pull request branch (NOT TRUSTED)
140
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
142
ref: ${{ steps.vars.outputs.sha }}
143
persist-credentials: false
146
install/kubernetes/cilium
149
- name: Create kind cluster
150
uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
152
version: ${{ env.kind_version }}
153
config: ${{ env.kind_config }}
156
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
158
# renovate: datasource=golang-version depName=go
161
- name: Wait for images to be available
165
for image in cilium-ci operator-generic-ci ; do
166
until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
169
- name: Install Gateway API CRDs
171
# Install Gateway CRDs
172
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gatewayclasses.yaml
173
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gateways.yaml
174
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_httproutes.yaml
175
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_referencegrants.yaml
176
## TLSRoute is only available in experimental channel in v0.7.0
177
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
178
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml
180
# To make sure that Gateway API CRs are available
181
kubectl wait --for condition=Established crd/gatewayclasses.gateway.networking.k8s.io --timeout=${{ env.timeout }}
182
kubectl wait --for condition=Established crd/gateways.gateway.networking.k8s.io --timeout=${{ env.timeout }}
183
kubectl wait --for condition=Established crd/httproutes.gateway.networking.k8s.io --timeout=${{ env.timeout }}
184
kubectl wait --for condition=Established crd/tlsroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }}
185
kubectl wait --for condition=Established crd/grpcroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }}
186
kubectl wait --for condition=Established crd/referencegrants.gateway.networking.k8s.io --timeout=${{ env.timeout }}
188
- name: Install Cilium
191
cilium install ${{ steps.vars.outputs.cilium_install_defaults }}
193
- name: Wait for Cilium status to be ready
196
kubectl -n kube-system get pods
198
- name: Install Cilium LB IPPool and L2 Announcement Policy
201
KIND_NET_CIDR=$(docker network inspect kind -f '{{(index .IPAM.Config 0).Subnet}}')
202
LB_CIDR=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200/28@")
204
echo "Deploying LB-IPAM Pool..."
205
cat << EOF > pool.yaml
206
apiVersion: "cilium.io/v2alpha1"
207
kind: CiliumLoadBalancerIPPool
214
kubectl apply -f pool.yaml
216
echo "Deploying L2-Announcement Policy..."
217
cat << 'EOF' > l2policy.yaml
218
apiVersion: "cilium.io/v2alpha1"
219
kind: CiliumL2AnnouncementPolicy
223
loadBalancerIPs: true
228
- key: node-role.kubernetes.io/control-plane
229
operator: DoesNotExist
231
kubectl apply -f l2policy.yaml
233
- name: Run simple Gateway API GRPCRoute test (temporary till upstream conformance tests)
236
kubectl apply -f untrusted/examples/kubernetes/gateway/grpc-route.yaml
237
# Install grpcurl binary
238
go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest
240
# Wait for the deployment
241
kubectl wait --for=condition=Available --all deployment --timeout=${{ env.timeout }}
242
lb=$(kubectl get services cilium-gateway-grpc -o json | jq '.status.loadBalancer.ingress[0].ip' | jq -r .)
243
grpcurl -plaintext -authority=my-grpc-service.foo.com $lb:80 yages.Echo/Ping
244
curl -s -v --fail $lb/yages.Echo/Ping \
246
-H 'Host: my-grpc-service.foo.com' \
247
-H 'Content-Type: application/grpc-web-text' \
248
-H 'Accept: application/grpc-web-text' \
251
- name: Run Gateway API conformance test
254
if [ ${{ matrix.conformance-profile }} == "true" ]; then
255
GATEWAY_API_CONFORMANCE_TESTS=1 go test \
257
-v ./operator/pkg/gateway-api \
258
--gateway-class cilium \
260
--exempt-features "${{ steps.vars.outputs.exempt-features }}" \
261
--conformance-profiles HTTP,TLS \
262
--organization cilium \
264
--url github.com/cilium/cilium \
266
--contact https://github.com/cilium/community/blob/main/roles/Maintainers.md \
267
--report-output report.yaml \
268
-test.run "TestExperimentalConformance" \
269
-test.skip "${{ steps.vars.outputs.skipped_tests }}"
271
GATEWAY_API_CONFORMANCE_TESTS=1 go test \
273
-v ./operator/pkg/gateway-api \
274
--gateway-class cilium \
276
--exempt-features "${{ steps.vars.outputs.exempt-features }}" \
277
-test.run "TestConformance" \
278
-test.skip "${{ steps.vars.outputs.skipped_tests }}"
281
- name: Upload report artifacts
282
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
284
name: report-${{ matrix.conformance-profile }}-${{ matrix.crd-channel }}.yaml
285
path: operator/pkg/gateway-api/report.yaml
287
if-no-files-found: ignore
289
- name: Post-test information gathering
290
if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }}
292
kubectl get pods --all-namespaces -o wide
294
cilium sysdump --output-filename cilium-sysdump-out-${{ join(matrix.*, '-') }}
295
shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
297
- name: Upload artifacts
298
if: ${{ !success() }}
299
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
301
name: cilium-sysdump-out-${{ matrix.conformance-profile }}-${{ matrix.crd-channel }}
302
path: cilium-sysdump-out-*.zip
306
if: ${{ always() && github.event_name != 'push' }}
307
name: Commit Status Final
308
needs: gateway-api-conformance-test
309
runs-on: ubuntu-latest
311
- name: Set final commit status
312
uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
314
sha: ${{ inputs.SHA || github.sha }}
315
status: ${{ needs.gateway-api-conformance-test.result }}