cilium

conformance-ingress.yaml
318 строк · 12.3 Кб
Перенос по словам
1
name: Conformance Ingress (ci-ingress)
2

3
# Any change in triggers needs to be reflected in the concurrency group.
4
on:
5
  workflow_dispatch:
6
    inputs:
7
      PR-number:
8
        description: "Pull request number."
9
        required: true
10
      context-ref:
11
        description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)."
12
        required: true
13
      SHA:
14
        description: "SHA under test (head of the PR branch)."
15
        required: true
16
      extra-args:
17
        description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow."
18
        required: false
19
        default: '{}'
20
  push:
21
    branches:
22
      - main
23
      - ft/main/**
24
    paths-ignore:
25
      - 'Documentation/**'
26
      - 'test/**'
27

28
# By specifying the access of one of the scopes, all of those that are not
29
# specified are set to 'none'.
30
permissions:
31
  # To be able to access the repository with actions/checkout
32
  contents: read
33
  # To allow retrieving information from the PR API
34
  pull-requests: read
35
  # To be able to set commit status
36
  statuses: write
37

38
concurrency:
39
  # Structure:
40
  # - Workflow name
41
  # - Event type
42
  # - A unique identifier depending on event type:
43
  #   - schedule: SHA
44
  #   - workflow_dispatch: PR number
45
  #
46
  # This structure ensures a unique concurrency group name is generated for each
47
  # type of testing, such that re-runs will cancel the previous run.
48
  group: |
49
    ${{ github.workflow }}
50
    ${{ github.event_name }}
51
    ${{
52
      (github.event_name == 'push' && github.sha) ||
53
      (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number)
54
    }}
55
  cancel-in-progress: true
56

57
env:
58
  cilium_cli_ci_version:
59
  CILIUM_CLI_MODE: helm
60
  # renovate: datasource=github-releases depName=kubernetes-sigs/kind
61
  kind_version: v0.22.0
62
  kind_config: .github/kind-config.yaml
63
  timeout: 5m
64

65
jobs:
66
  commit-status-start:
67
    if: ${{ github.event_name != 'push' }}
68
    name: Commit Status Start
69
    runs-on: ubuntu-latest
70
    steps:
71
      - name: Set initial commit status
72
        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
73
        with:
74
          sha: ${{ inputs.SHA || github.sha }}
75

76
  ingress-conformance-test:
77
    name: Ingress Conformance Test
78
    runs-on: ubuntu-latest
79
    timeout-minutes: 120
80
    strategy:
81
      fail-fast: false
82
      matrix:
83
        include:
84
        - name: Without_XDP
85
          kube-proxy-replacement: true
86
          enable-node-port: false
87
          bpf-lb-acceleration: disabled
88
          loadbalancer-mode: dedicated
89
          default-ingress-controller: false
90
        - name: With_XDP
91
          kube-proxy-replacement: true
92
          enable-node-port: false
93
          bpf-lb-acceleration: native
94
          loadbalancer-mode: dedicated
95
          default-ingress-controller: false
96
        - name: With_Shared_LB
97
          kube-proxy-replacement: true
98
          enable-node-port: false
99
          bpf-lb-acceleration: disabled
100
          loadbalancer-mode: shared
101
          default-ingress-controller: false
102
        - name: With_Default_Ingress_Controller
103
          kube-proxy-replacement: true
104
          enable-node-port: false
105
          bpf-lb-acceleration: disabled
106
          loadbalancer-mode: dedicated
107
          default-ingress-controller: true
108
        - name: Without_KPR
109
          kube-proxy-replacement: false
110
          enable-node-port: true
111
          bpf-lb-acceleration: disabled
112
          loadbalancer-mode: dedicated
113
          default-ingress-controller: false
114

115
    steps:
116
      - name: Checkout context ref (trusted)
117
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
118
        with:
119
          ref: ${{ inputs.context-ref || github.sha }}
120
          persist-credentials: false
121

122
      - name: Set Environment Variables
123
        uses: ./.github/actions/set-env-variables
124

125
      - name: Install Cilium CLI
126
        uses: cilium/cilium-cli@7306e3cdc6caee738157f08e3e1ba26179f104e5 # v0.15.23
127
        with:
128
          repository: ${{ env.CILIUM_CLI_RELEASE_REPO }}
129
          release-version: ${{ env.CILIUM_CLI_VERSION }}
130
          ci-version: ${{ env.cilium_cli_ci_version }}
131

132
      - name: Get Cilium's default values
133
        id: default_vars
134
        uses: ./.github/actions/helm-default
135
        with:
136
          image-tag: ${{ inputs.SHA }}
137
          chart-dir: ./untrusted/install/kubernetes/cilium
138

139
      - name: Set image tag
140
        id: vars
141
        run: |
142
          echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT
143

144
          CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \
145
            --helm-set=debug.verbose=envoy \
146
            --helm-set kubeProxyReplacement=${{ matrix.kube-proxy-replacement }} \
147
            --helm-set nodePort.enabled=${{ matrix.enable-node-port }} \
148
            --helm-set=ingressController.enabled=true \
149
            --helm-set=ingressController.loadbalancerMode=${{ matrix.loadbalancer-mode }} \
150
            --helm-set=ingressController.default=${{ matrix.default-ingress-controller }} \
151
            --helm-set=extraConfig.bpf-lb-acceleration=${{ matrix.bpf-lb-acceleration }} \
152
            --helm-set=l2announcements.enabled=true \
153
            --helm-set=devices='{eth0}'"
154

155
          echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT
156

157
      # Warning: since this is a privileged workflow, subsequent workflow job
158
      # steps must take care not to execute untrusted code.
159
      - name: Checkout pull request branch (NOT TRUSTED)
160
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
161
        with:
162
          ref: ${{ steps.vars.outputs.sha }}
163
          persist-credentials: false
164
          path: untrusted
165
          sparse-checkout: |
166
            install/kubernetes/cilium
167
            examples
168

169
      - name: Create kind cluster
170
        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
171
        with:
172
          version: ${{ env.kind_version }}
173
          config: ${{ env.kind_config }}
174

175
      - name: Checkout ingress-controller-conformance
176
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
177
        with:
178
          # Use the forked repo with retry mechanism
179
          # Please refer to https://github.com/kubernetes-sigs/ingress-controller-conformance/pull/101 for more details.
180
          repository: cilium/ingress-controller-conformance
181
          path: ingress-controller-conformance
182
          ref: 010bbae21b71d9785660b87908dfe2ba8cd2f25d
183
          persist-credentials: false
184

185
      - name: Install Ingress conformance test tool
186
        timeout-minutes: 10
187
        run: |
188
          cd ingress-controller-conformance
189
          make build
190

191
      - name: Wait for images to be available
192
        timeout-minutes: 30
193
        shell: bash
194
        run: |
195
          for image in cilium-ci operator-generic-ci ; do
196
            until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
197
          done
198

199
      - name: Install Cilium
200
        id: install-cilium
201
        run: |
202
          cilium install ${{ steps.vars.outputs.cilium_install_defaults }}
203

204
      - name: Wait for Cilium to be ready
205
        run: |
206
          cilium status --wait
207
          kubectl get pods -n kube-system
208

209
      - name: Install Cilium LB IPPool and L2 Announcement Policy
210
        timeout-minutes: 10
211
        run: |
212
          KIND_NET_CIDR=$(docker network inspect kind -f '{{(index .IPAM.Config 0).Subnet}}')
213
          LB_CIDR=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200/28@")
214

215
          echo "Deploying LB-IPAM Pool..."
216
          cat << EOF > pool.yaml
217
          apiVersion: "cilium.io/v2alpha1"
218
          kind: CiliumLoadBalancerIPPool
219
          metadata:
220
            name: "pool"
221
          spec:
222
            cidrs:
223
              - cidr: "$LB_CIDR"
224
          EOF
225
          kubectl apply -f pool.yaml
226
          
227
          echo "Deploying L2-Announcement Policy..."
228
          cat << 'EOF' > l2policy.yaml
229
          apiVersion: "cilium.io/v2alpha1"
230
          kind: CiliumL2AnnouncementPolicy
231
          metadata:
232
            name: l2policy
233
          spec:
234
            loadBalancerIPs: true
235
            interfaces:
236
              - eth0
237
            nodeSelector:
238
              matchExpressions:
239
                - key: node-role.kubernetes.io/control-plane
240
                  operator: DoesNotExist
241
          EOF
242
          kubectl apply -f l2policy.yaml
243

244
      - name: Create sample workload
245
        timeout-minutes: 5
246
        run: |
247
          kubectl apply -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml
248
          if [ ${{ matrix.default-ingress-controller }} = "true" ]; then
249
            # remove ingressClassName line from basic-ingress.yaml
250
            sed -i '/ingressClassName/d' untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml
251
            kubectl apply -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml
252
            kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }}
253
          fi
254

255
          kubectl apply -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml
256
          kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }}
257

258
      - name: Run Sanity check (external)
259
        timeout-minutes: 5
260
        run: |
261
          lb=$(kubectl get ingress basic-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}')     
262
          curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --retry-all-errors --retry-delay 5 --fail -- http://"$lb"
263

264
          # By now the service should be up, no need to do the manual retries for the second request
265
          curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail -- http://"$lb"/details/1
266

267
      - name: Run Sanity check (internal to NodePort)
268
        if: ${{ matrix.kube-proxy-replacement == 'true' }}
269
        timeout-minutes: 5
270
        run: |
271
          if [ ${{ matrix.loadbalancer-mode }} = "dedicated" ]; then
272
            node_port=$(kubectl get svc cilium-ingress-basic-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}')
273
          else
274
            node_port=$(kubectl get -n kube-system svc cilium-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}')
275
          fi
276
          docker exec -i chart-testing-control-plane curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail http://localhost:$node_port/details/1 
277

278
      - name: Cleanup Sanity check
279
        timeout-minutes: 5
280
        run: |
281
          # Clean up after sanity check to avoid any conflicts with the conformance test
282
          kubectl delete -n default -f untrusted/examples/kubernetes/servicemesh/basic-ingress.yaml
283
          kubectl delete -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml
284
          kubectl wait ingress basic-ingress --for=delete
285

286
      - name: Run Ingress conformance test
287
        timeout-minutes: 30
288
        run: |
289
          cd ingress-controller-conformance
290
          ./ingress-controller-conformance -ingress-class cilium -wait-time-for-ingress-status 60s -wait-time-for-ready 60s
291

292
      - name: Post-test information gathering
293
        if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }}
294
        run: |
295
          kubectl get pods --all-namespaces -o wide
296
          cilium status
297
          cilium sysdump --output-filename cilium-sysdump-out-${{ matrix.name }}
298
        shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
299

300
      - name: Upload artifacts
301
        if: ${{ !success() }}
302
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
303
        with:
304
          name: cilium-sysdump-out-${{ matrix.name }}
305
          path: cilium-sysdump-out-*.zip
306
          retention-days: 5
307

308
  commit-status-final:
309
    if: ${{ always() && github.event_name != 'push' }}
310
    name: Commit Status Final
311
    needs: ingress-conformance-test
312
    runs-on: ubuntu-latest
313
    steps:
314
      - name: Set final commit status
315
        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0  
316
        with:
317
          sha: ${{ inputs.SHA || github.sha }}
318
          status: ${{ needs.ingress-conformance-test.result }}
319
cilium

Использование cookies
