1
name: Conformance Multi Pool IPAM (ci-multi-pool)
3
# Any change in triggers needs to be reflected in the concurrency group.
8
description: "Pull request number."
11
description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)."
14
description: "SHA under test (head of the PR branch)."
17
description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow."
28
# By specifying the access of one of the scopes, all of those that are not
29
# specified are set to 'none'.
31
# To be able to access the repository with actions/checkout
33
# To allow retrieving information from the PR API
35
# To be able to set commit status
42
# - A unique identifier depending on event type:
44
# - workflow_dispatch: PR number
46
# This structure ensures a unique concurrency group name is generated for each
47
# type of testing, such that re-runs will cancel the previous run.
49
${{ github.workflow }}
50
${{ github.event_name }}
52
(github.event_name == 'push' && github.sha) ||
53
(github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number)
55
cancel-in-progress: true
58
cilium_cli_ci_version:
59
# renovate: datasource=github-releases depName=kubernetes-sigs/kind
61
kind_config: .github/kind-config.yaml
66
if: ${{ github.event_name != 'push' }}
67
name: Commit Status Start
68
runs-on: ubuntu-latest
70
- name: Set initial commit status
71
uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
73
sha: ${{ inputs.SHA || github.sha }}
75
multi-pool-ipam-conformance-test:
76
name: Install and Connectivity Test
77
runs-on: ubuntu-latest
80
- name: Checkout context ref (trusted)
81
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
83
ref: ${{ inputs.context-ref || github.sha }}
84
persist-credentials: false
86
- name: Set Environment Variables
87
uses: ./.github/actions/set-env-variables
89
- name: Install Cilium CLI
90
uses: cilium/cilium-cli@7306e3cdc6caee738157f08e3e1ba26179f104e5 # v0.15.23
92
repository: ${{ env.CILIUM_CLI_RELEASE_REPO }}
93
release-version: ${{ env.CILIUM_CLI_VERSION }}
94
ci-version: ${{ env.cilium_cli_ci_version }}
96
- name: Get Cilium's default values
98
uses: ./.github/actions/helm-default
100
image-tag: ${{ inputs.SHA }}
101
chart-dir: ./untrusted/install/kubernetes/cilium
103
- name: Set up job variables
106
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
107
CONTEXT_REF="${{ inputs.context-ref }}"
108
OWNER="${{ inputs.PR-number }}"
110
CONTEXT_REF="${{ github.sha }}"
111
OWNER="${{ github.ref_name }}"
115
echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT
116
echo context-ref=${CONTEXT_REF} >> $GITHUB_OUTPUT
117
echo owner=${OWNER} >> $GITHUB_OUTPUT
120
# - Multi-pool IPAM only supports direct routing, thus we disable
121
# tunnel mode and enable auto-direct-routes.
122
# - Multi-pool IPAM only supports endpoint routes, thus we disable
123
# the local-node-route.
124
# - helm/kind-action does not support BPF host routing, so we fall
125
# back on legacy host routing (#23283)
126
# - iptables-based masquerading does not support multiple non-masquerade
127
# CIDRs. Thus, we enable BPF masquerading where we can add multiple
128
# non-masquerade CIDRs.
129
CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \
130
--helm-set=hubble.relay.enabled=true \
131
--helm-set=autoDirectNodeRoutes=true \
132
--helm-set=routingMode=native \
133
--helm-set=endpointRoutes.enabled=true \
134
--helm-set=kubeProxyReplacement=true \
135
--helm-set=bpf.masquerade=true \
136
--helm-set=bpf.hostLegacyRouting=true\
137
--helm-set=ipMasqAgent.enabled=true \
138
--helm-set=ipMasqAgent.config.nonMasqueradeCIDRs='{10.0.0.0/8,192.168.0.0/16}' \
139
--helm-set=ipam.mode=multi-pool \
140
--helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.cidrs='{10.10.0.0/16}' \
141
--helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.maskSize=24 \
142
--helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.cidrs='{10.20.0.0/16}' \
143
--helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.maskSize=24 \
144
--helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.cidrs='{192.168.0.0/20}' \
145
--helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.maskSize=27 \
146
--helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.cidrs='{192.168.16.0/20}' \
147
--helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.maskSize=27"
149
CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \
150
--external-target bing.com --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8 \
151
--namespace-annotations='{\"ipam.cilium.io/ip-pool\":\"cilium-test-pool\"}' \
152
--deployment-pod-annotations='{ \
153
\"client\":{\"ipam.cilium.io/ip-pool\":\"client-pool\"}, \
154
\"echo-other-node\":{\"ipam.cilium.io/ip-pool\":\"echo-other-node-pool\"} \
157
echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT
158
echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT
160
# Warning: since this is a privileged workflow, subsequent workflow job
161
# steps must take care not to execute untrusted code.
162
- name: Checkout pull request branch (NOT TRUSTED)
163
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
165
ref: ${{ steps.vars.outputs.sha }}
166
persist-credentials: false
169
install/kubernetes/cilium
171
- name: Create kind cluster
172
uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
174
version: ${{ env.kind_version }}
175
config: ${{ env.kind_config }}
177
- name: Wait for images to be available
181
for image in cilium-ci operator-generic-ci hubble-relay-ci; do
182
until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
185
- name: Install Cilium
188
CILIUM_CLI_MODE=helm cilium install ${{ steps.vars.outputs.cilium_install_defaults }}
190
- name: Wait for Cilium status to be ready
193
kubectl -n kube-system get pods
195
- name: Port forward Relay
197
cilium hubble port-forward&
199
[[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]]
201
- name: Make JUnit report directory
203
mkdir -p cilium-junits
205
- name: Run connectivity test
207
cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \
208
--junit-file "cilium-junits/${{ env.job_name }} - 1.xml" --junit-property github_job_step="Run connectivity test"
210
- name: Collect Pod and Pool IPs
213
for pod in client client2 echo-same-node echo-other-node; do
214
kubectl get pod -n cilium-test -l "name=${pod}" -o jsonpath="${pod}={.items[*].status.podIP}{'\n'}" >> "$GITHUB_OUTPUT"
217
for pool in cilium-test-pool client-pool echo-other-node-pool; do
218
kubectl get ciliumpodippool "${pool}" -o "jsonpath=${pool}={.spec.ipv4.cidrs[0]}{'\n'}" >> "$GITHUB_OUTPUT"
221
- name: Validate Pod IPs
224
from ipaddress import ip_address, ip_network
226
assert ip_address("${{ steps.ips.outputs.client }}") in ip_network("${{ steps.ips.outputs.client-pool }}"), "client pool mismatch"
227
assert ip_address("${{ steps.ips.outputs.client2 }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "client2 pool mismatch"
228
assert ip_address("${{ steps.ips.outputs.echo-same-node }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "echo-same-node pool mismatch"
229
assert ip_address("${{ steps.ips.outputs.echo-other-node }}") in ip_network("${{ steps.ips.outputs.echo-other-node-pool }}"), "echo-other-node pool mismatch"
231
- name: Post-test information gathering
232
if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }}
234
kubectl get pods --all-namespaces -o wide
236
cilium sysdump --output-filename cilium-sysdump-out
237
shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
239
- name: Upload artifacts
240
if: ${{ !success() }}
241
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
243
name: cilium-sysdump-out.zip
244
path: cilium-sysdump-*.zip
247
- name: Upload JUnits [junit]
249
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
252
path: cilium-junits/*.xml
255
- name: Publish Test Results As GitHub Summary
257
uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3
259
junit-directory: "cilium-junits"
262
if: ${{ always() && github.event_name != 'push' }}
263
name: Commit Status Final
264
needs: multi-pool-ipam-conformance-test
265
runs-on: ubuntu-latest
267
- name: Set final commit status
268
uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0
270
sha: ${{ inputs.SHA || github.sha }}
271
status: ${{ needs.multi-pool-ipam-conformance-test.result }}