1
name: Conformance Ingress (ci-ingress)
3
# Any change in triggers needs to be reflected in the concurrency group.
8
description: "Pull request number."
11
description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)."
14
description: "SHA under test (head of the PR branch)."
17
description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow."
28
# By specifying the access of one of the scopes, all of those that are not
29
# specified are set to 'none'.
31
# To be able to access the repository with actions/checkout
33
# To allow retrieving information from the PR API
35
# To be able to set commit status
42
# - A unique identifier depending on event type:
44
# - workflow_dispatch: PR number
46
# This structure ensures a unique concurrency group name is generated for each
47
# type of testing, such that re-runs will cancel the previous run.
49
${{ github.workflow }}
50
${{ github.event_name }}
52
(github.event_name == 'push' && github.sha) ||
53
(github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number)
55
cancel-in-progress: true
58
cilium_cli_ci_version:
60
# renovate: datasource=github-releases depName=kubernetes-sigs/kind
62
kind_config: .github/kind-config.yaml
67
if: ${{ github.event_name != 'push' }}
68
name: Commit Status Start
69
runs-on: ubuntu-latest
71
- name: Set initial commit status
72
uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
74
sha: ${{ inputs.SHA || github.sha }}
76
ingress-conformance-test:
77
name: Ingress Conformance Test
78
runs-on: ubuntu-latest
85
kube-proxy-replacement: true
86
enable-node-port: false
87
bpf-lb-acceleration: disabled
88
loadbalancer-mode: dedicated
89
default-ingress-controller: false
91
kube-proxy-replacement: true
92
enable-node-port: false
93
bpf-lb-acceleration: native
94
loadbalancer-mode: dedicated
95
default-ingress-controller: false
96
- name: With_Shared_LB
97
kube-proxy-replacement: true
98
enable-node-port: false
99
bpf-lb-acceleration: disabled
100
loadbalancer-mode: shared
101
default-ingress-controller: false
102
- name: With_Default_Ingress_Controller
103
kube-proxy-replacement: true
104
enable-node-port: false
105
bpf-lb-acceleration: disabled
106
loadbalancer-mode: dedicated
107
default-ingress-controller: true
109
kube-proxy-replacement: false
110
enable-node-port: true
111
bpf-lb-acceleration: disabled
112
loadbalancer-mode: dedicated
113
default-ingress-controller: false
116
- name: Checkout context ref (trusted)
117
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
119
ref: ${{ inputs.context-ref || github.sha }}
120
persist-credentials: false
122
- name: Set Environment Variables
123
uses: ./.github/actions/set-env-variables
125
- name: Install Cilium CLI
126
uses: cilium/cilium-cli@7306e3cdc6caee738157f08e3e1ba26179f104e5 # v0.15.23
128
repository: ${{ env.CILIUM_CLI_RELEASE_REPO }}
129
release-version: ${{ env.CILIUM_CLI_VERSION }}
130
ci-version: ${{ env.cilium_cli_ci_version }}
132
- name: Get Cilium's default values
134
uses: ./.github/actions/helm-default
136
image-tag: ${{ inputs.SHA }}
137
chart-dir: ./untrusted/install/kubernetes/cilium
139
- name: Set image tag
142
echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT
144
CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \
145
--helm-set=debug.verbose=envoy \
146
--helm-set kubeProxyReplacement=${{ matrix.kube-proxy-replacement }} \
147
--helm-set nodePort.enabled=${{ matrix.enable-node-port }} \
148
--helm-set=ingressController.enabled=true \
149
--helm-set=ingressController.loadbalancerMode=${{ matrix.loadbalancer-mode }} \
150
--helm-set=ingressController.default=${{ matrix.default-ingress-controller }} \
151
--helm-set=extraConfig.bpf-lb-acceleration=${{ matrix.bpf-lb-acceleration }} \
152
--helm-set=l2announcements.enabled=true \
153
--helm-set=devices='{eth0}'"
155
echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT
157
# Warning: since this is a privileged workflow, subsequent workflow job
158
# steps must take care not to execute untrusted code.
159
- name: Checkout pull request branch (NOT TRUSTED)
160
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
162
ref: ${{ steps.vars.outputs.sha }}
163
persist-credentials: false
166
install/kubernetes/cilium
169
- name: Create kind cluster
170
uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
172
version: ${{ env.kind_version }}
173
config: ${{ env.kind_config }}
175
- name: Checkout ingress-controller-conformance
176
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
178
# Use the forked repo with retry mechanism
179
# Please refer to https://github.com/kubernetes-sigs/ingress-controller-conformance/pull/101 for more details.
180
repository: cilium/ingress-controller-conformance
181
path: ingress-controller-conformance
182
ref: 010bbae21b71d9785660b87908dfe2ba8cd2f25d
183
persist-credentials: false
185
- name: Install Ingress conformance test tool
188
cd ingress-controller-conformance
191
- name: Wait for images to be available
195
for image in cilium-ci operator-generic-ci ; do
196
until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
199
- name: Install Cilium
202
cilium install ${{ steps.vars.outputs.cilium_install_defaults }}
204
- name: Wait for Cilium to be ready
207
kubectl get pods -n kube-system
209
- name: Install Cilium LB IPPool and L2 Announcement Policy
212
KIND_NET_CIDR=$(docker network inspect kind -f '{{(index .IPAM.Config 0).Subnet}}')
213
LB_CIDR=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200/28@")
215
echo "Deploying LB-IPAM Pool..."
216
cat << EOF > pool.yaml
217
apiVersion: "cilium.io/v2alpha1"
218
kind: CiliumLoadBalancerIPPool
225
kubectl apply -f pool.yaml
227
echo "Deploying L2-Announcement Policy..."
228
cat << 'EOF' > l2policy.yaml
229
apiVersion: "cilium.io/v2alpha1"
230
kind: CiliumL2AnnouncementPolicy
234
loadBalancerIPs: true
239
- key: node-role.kubernetes.io/control-plane
240
operator: DoesNotExist
242
kubectl apply -f l2policy.yaml
244
- name: Create sample workload
247
kubectl apply -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml
248
if [ ${{ matrix.default-ingress-controller }} = "true" ]; then
249
# remove ingressClassName line from basic-ingress.yaml
250
sed -i '/ingressClassName/d' untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml
251
kubectl apply -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml
252
kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }}
255
kubectl apply -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml
256
kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }}
258
- name: Run Sanity check (external)
261
lb=$(kubectl get ingress basic-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
262
curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --retry-all-errors --retry-delay 5 --fail -- http://"$lb"
264
# By now the service should be up, no need to do the manual retries for the second request
265
curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail -- http://"$lb"/details/1
267
- name: Run Sanity check (internal to NodePort)
268
if: ${{ matrix.kube-proxy-replacement == 'true' }}
271
if [ ${{ matrix.loadbalancer-mode }} = "dedicated" ]; then
272
node_port=$(kubectl get svc cilium-ingress-basic-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}')
274
node_port=$(kubectl get -n kube-system svc cilium-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}')
276
docker exec -i chart-testing-control-plane curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail http://localhost:$node_port/details/1
278
- name: Cleanup Sanity check
281
# Clean up after sanity check to avoid any conflicts with the conformance test
282
kubectl delete -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml
283
kubectl delete -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml
284
kubectl wait ingress basic-ingress --for=delete
286
- name: Run Ingress conformance test
289
cd ingress-controller-conformance
290
./ingress-controller-conformance -ingress-class cilium -wait-time-for-ingress-status 60s -wait-time-for-ready 60s
292
- name: Post-test information gathering
293
if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }}
295
kubectl get pods --all-namespaces -o wide
297
cilium sysdump --output-filename cilium-sysdump-out-${{ matrix.name }}
298
shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
300
- name: Upload artifacts
301
if: ${{ !success() }}
302
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
304
name: cilium-sysdump-out-${{ matrix.name }}
305
path: cilium-sysdump-out-*.zip
309
if: ${{ always() && github.event_name != 'push' }}
310
name: Commit Status Final
311
needs: ingress-conformance-test
312
runs-on: ubuntu-latest
314
- name: Set final commit status
315
uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
317
sha: ${{ inputs.SHA || github.sha }}
318
status: ${{ needs.ingress-conformance-test.result }}