cilium

1
name: Conformance Multi Pool IPAM (ci-multi-pool)
2

3
# Any change in triggers needs to be reflected in the concurrency group.
4
on:
5
  workflow_dispatch:
6
    inputs:
7
      PR-number:
8
        description: "Pull request number."
9
        required: true
10
      context-ref:
11
        description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)."
12
        required: true
13
      SHA:
14
        description: "SHA under test (head of the PR branch)."
15
        required: true
16
      extra-args:
17
        description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow."
18
        required: false
19
        default: '{}'
20

21
  push:
22
    branches:
23
      - main
24
      - ft/main/**
25
    paths-ignore:
26
      - 'Documentation/**'
27

28
# By specifying the access of one of the scopes, all of those that are not
29
# specified are set to 'none'.
30
permissions:
31
  # To be able to access the repository with actions/checkout
32
  contents: read
33
  # To allow retrieving information from the PR API
34
  pull-requests: read
35
  # To be able to set commit status
36
  statuses: write
37

38
concurrency:
39
  # Structure:
40
  # - Workflow name
41
  # - Event type
42
  # - A unique identifier depending on event type:
43
  #   - push: SHA
44
  #   - workflow_dispatch: PR number
45
  #
46
  # This structure ensures a unique concurrency group name is generated for each
47
  # type of testing, such that re-runs will cancel the previous run.
48
  group: |
49
    ${{ github.workflow }}
50
    ${{ github.event_name }}
51
    ${{
52
      (github.event_name == 'push' && github.sha) ||
53
      (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number)
54
    }}
55
  cancel-in-progress: true
56

57
env:
58
  cilium_cli_ci_version:
59
  # renovate: datasource=github-releases depName=kubernetes-sigs/kind
60
  kind_version: v0.22.0
61
  kind_config: .github/kind-config.yaml
62
  timeout: 5m
63

64
jobs:
65
  commit-status-start:
66
    if: ${{ github.event_name != 'push' }}
67
    name: Commit Status Start
68
    runs-on: ubuntu-latest
69
    steps:
70
      - name: Set initial commit status
71
        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
72
        with:
73
          sha: ${{ inputs.SHA || github.sha }}
74

75
  multi-pool-ipam-conformance-test:
76
    name: Install and Connectivity Test
77
    runs-on: ubuntu-latest
78
    timeout-minutes: 120
79
    steps:
80
      - name: Checkout context ref (trusted)
81
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
82
        with:
83
          ref: ${{ inputs.context-ref || github.sha }}
84
          persist-credentials: false
85

86
      - name: Set Environment Variables
87
        uses: ./.github/actions/set-env-variables
88

89
      - name: Install Cilium CLI
90
        uses: cilium/cilium-cli@7306e3cdc6caee738157f08e3e1ba26179f104e5 # v0.15.23
91
        with:
92
          repository: ${{ env.CILIUM_CLI_RELEASE_REPO }}
93
          release-version: ${{ env.CILIUM_CLI_VERSION }}
94
          ci-version: ${{ env.cilium_cli_ci_version }}
95

96
      - name: Get Cilium's default values
97
        id: default_vars
98
        uses: ./.github/actions/helm-default
99
        with:
100
          image-tag: ${{ inputs.SHA }}
101
          chart-dir: ./untrusted/install/kubernetes/cilium
102

103
      - name: Set up job variables
104
        id: vars
105
        run: |
106
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
107
            CONTEXT_REF="${{ inputs.context-ref }}"
108
            OWNER="${{ inputs.PR-number }}"
109
          else
110
            CONTEXT_REF="${{ github.sha }}"
111
            OWNER="${{ github.ref_name }}"
112
            OWNER="${OWNER/./-}"
113
          fi
114

115
          echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT
116
          echo context-ref=${CONTEXT_REF} >> $GITHUB_OUTPUT
117
          echo owner=${OWNER} >> $GITHUB_OUTPUT
118

119
          # Notes:
120
          #  - Multi-pool IPAM only supports direct routing, thus we disable
121
          #    tunnel mode and enable auto-direct-routes.
122
          #  - Multi-pool IPAM only supports endpoint routes, thus we disable
123
          #    the local-node-route.
124
          #  - helm/kind-action does not support BPF host routing, so we fall
125
          #    back on legacy host routing (#23283)
126
          #  - iptables-based masquerading does not support multiple non-masquerade
127
          #    CIDRs. Thus, we enable BPF masquerading where we can add multiple
128
          #    non-masquerade CIDRs.
129
          CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \
130
            --helm-set=hubble.relay.enabled=true \
131
            --helm-set=autoDirectNodeRoutes=true \
132
            --helm-set=routingMode=native \
133
            --helm-set=endpointRoutes.enabled=true \
134
            --helm-set=kubeProxyReplacement=true \
135
            --helm-set=bpf.masquerade=true \
136
            --helm-set=bpf.hostLegacyRouting=true\
137
            --helm-set=ipMasqAgent.enabled=true \
138
            --helm-set=ipMasqAgent.config.nonMasqueradeCIDRs='{10.0.0.0/8,192.168.0.0/16}' \
139
            --helm-set=ipam.mode=multi-pool \
140
            --helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.cidrs='{10.10.0.0/16}' \
141
            --helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.maskSize=24 \
142
            --helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.cidrs='{10.20.0.0/16}' \
143
            --helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.maskSize=24 \
144
            --helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.cidrs='{192.168.0.0/20}' \
145
            --helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.maskSize=27 \
146
            --helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.cidrs='{192.168.16.0/20}' \
147
            --helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.maskSize=27"
148

149
          CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \
150
            --external-target bing.com --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8 \
151
            --namespace-annotations='{\"ipam.cilium.io/ip-pool\":\"cilium-test-pool\"}' \
152
            --deployment-pod-annotations='{ \
153
                \"client\":{\"ipam.cilium.io/ip-pool\":\"client-pool\"}, \
154
                \"echo-other-node\":{\"ipam.cilium.io/ip-pool\":\"echo-other-node-pool\"} \
155
            }'"
156

157
          echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT
158
          echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT
159

160
      # Warning: since this is a privileged workflow, subsequent workflow job
161
      # steps must take care not to execute untrusted code.
162
      - name: Checkout pull request branch (NOT TRUSTED)
163
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
164
        with:
165
          ref: ${{ steps.vars.outputs.sha }}
166
          persist-credentials: false
167
          path: untrusted
168
          sparse-checkout: |
169
            install/kubernetes/cilium
170

171
      - name: Create kind cluster
172
        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
173
        with:
174
          version: ${{ env.kind_version }}
175
          config: ${{ env.kind_config }}
176

177
      - name: Wait for images to be available
178
        timeout-minutes: 30
179
        shell: bash
180
        run: |
181
          for image in cilium-ci operator-generic-ci hubble-relay-ci; do
182
            until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
183
          done
184

185
      - name: Install Cilium
186
        id: install-cilium
187
        run: |
188
          CILIUM_CLI_MODE=helm cilium install ${{ steps.vars.outputs.cilium_install_defaults }}
189

190
      - name: Wait for Cilium status to be ready
191
        run: |
192
          cilium status --wait
193
          kubectl -n kube-system get pods
194

195
      - name: Port forward Relay
196
        run: |
197
          cilium hubble port-forward&
198
          sleep 10s
199
          [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]]
200

201
      - name: Make JUnit report directory
202
        run: |
203
          mkdir -p cilium-junits
204

205
      - name: Run connectivity test
206
        run: |
207
          cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \
208
            --junit-file "cilium-junits/${{ env.job_name }} - 1.xml" --junit-property github_job_step="Run connectivity test"
209

210
      - name: Collect Pod and Pool IPs
211
        id: ips
212
        run: |
213
          for pod in client client2 echo-same-node echo-other-node; do
214
            kubectl get pod -n cilium-test -l "name=${pod}" -o jsonpath="${pod}={.items[*].status.podIP}{'\n'}" >> "$GITHUB_OUTPUT"
215
          done
216

217
          for pool in cilium-test-pool client-pool echo-other-node-pool; do
218
            kubectl get ciliumpodippool "${pool}" -o "jsonpath=${pool}={.spec.ipv4.cidrs[0]}{'\n'}" >> "$GITHUB_OUTPUT"
219
          done
220

221
      - name: Validate Pod IPs
222
        shell: python
223
        run: |
224
          from ipaddress import ip_address, ip_network
225

226
          assert ip_address("${{ steps.ips.outputs.client }}") in ip_network("${{ steps.ips.outputs.client-pool }}"), "client pool mismatch"
227
          assert ip_address("${{ steps.ips.outputs.client2 }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "client2 pool mismatch"
228
          assert ip_address("${{ steps.ips.outputs.echo-same-node }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "echo-same-node pool mismatch"
229
          assert ip_address("${{ steps.ips.outputs.echo-other-node }}") in ip_network("${{ steps.ips.outputs.echo-other-node-pool }}"), "echo-other-node pool mismatch"
230

231
      - name: Post-test information gathering
232
        if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }}
233
        run: |
234
          kubectl get pods --all-namespaces -o wide
235
          cilium status
236
          cilium sysdump --output-filename cilium-sysdump-out
237
        shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
238

239
      - name: Upload artifacts
240
        if: ${{ !success() }}
241
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
242
        with:
243
          name: cilium-sysdump-out.zip
244
          path: cilium-sysdump-*.zip
245
          retention-days: 5
246

247
      - name: Upload JUnits [junit]
248
        if: ${{ always() }}
249
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
250
        with:
251
          name: cilium-junits
252
          path: cilium-junits/*.xml
253
          retention-days: 5
254

255
      - name: Publish Test Results As GitHub Summary
256
        if: ${{ always() }}
257
        uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3
258
        with:
259
          junit-directory: "cilium-junits"
260

261
  commit-status-final:
262
    if: ${{ always() && github.event_name != 'push' }}
263
    name: Commit Status Final
264
    needs: multi-pool-ipam-conformance-test
265
    runs-on: ubuntu-latest
266
    steps:
267
      - name: Set final commit status
268
        uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
269
        with:
270
          sha: ${{ inputs.SHA || github.sha }}
271
          status: ${{ needs.multi-pool-ipam-conformance-test.result }}
272