From f494d5d59deb1acf2b22b68fc5bb0e13eab12595 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Thu, 11 Jan 2024 13:29:55 +0100 Subject: [PATCH] ci: delete all workflows except image release --- .github/workflows/ariane-scheduled.yaml | 48 -- .github/workflows/build-images-base.yaml | 298 ---------- .github/workflows/build-images-beta.yaml | 182 ------ .github/workflows/build-images-ci.yaml | 454 -------------- .../workflows/build-images-docs-builder.yaml | 180 ------ .github/workflows/build-images-hotfixes.yaml | 185 ------ .../workflows/ci-images-cache-cleaner.yaml | 71 --- .../workflows/ci-images-garbage-collect.yaml | 26 - .github/workflows/close-stale-issues.yaml | 45 -- .github/workflows/conformance-aks.yaml | 331 ----------- .github/workflows/conformance-aws-cni.yaml | 316 ---------- .../workflows/conformance-clustermesh.yaml | 488 --------------- .github/workflows/conformance-e2e.yaml | 383 ------------ .github/workflows/conformance-eks.yaml | 346 ----------- .../conformance-externalworkloads.yaml | 351 ----------- .../workflows/conformance-gateway-api.yaml | 300 ---------- .github/workflows/conformance-ginkgo.yaml | 485 --------------- .github/workflows/conformance-gke.yaml | 310 ---------- .github/workflows/conformance-ingress.yaml | 302 ---------- .github/workflows/conformance-ipsec-e2e.yaml | 356 ----------- ...conformance-k8s-kind-network-policies.yaml | 244 -------- .github/workflows/conformance-k8s-kind.yaml | 245 -------- .../conformance-k8s-network-policies.yaml | 149 ----- .../conformance-kind-proxy-daemonset.yaml | 150 ----- .github/workflows/conformance-multi-pool.yaml | 267 --------- .github/workflows/conformance-runtime.yaml | 452 -------------- .github/workflows/container-scan.yaml | 53 -- .github/workflows/documentation.yaml | 67 --- .../external-contribution-labeler.yaml | 76 --- .github/workflows/integration-test.yaml | 128 ---- .github/workflows/lint-bpf-checks.yaml | 170 ------ .github/workflows/lint-build-commits.yaml | 116 ---- .github/workflows/lint-codeowners.yaml | 129 ---- .github/workflows/lint-codeql.yaml | 55 -- .github/workflows/lint-go.yaml | 129 ---- .github/workflows/lint-images-base.yaml | 44 -- .github/workflows/lint-workflows.yaml | 227 ------- .github/workflows/needs-more-info.yaml | 18 - .github/workflows/push-chart-ci.yaml | 173 ------ .github/workflows/scale-test-100-gce.yaml | 221 ------- .../scale-test-node-throughput-gce.yaml | 207 ------- .github/workflows/tests-cifuzz.yaml | 31 - .../workflows/tests-clustermesh-upgrade.yaml | 560 ------------------ .../workflows/tests-datapath-verifier.yaml | 157 ----- .github/workflows/tests-e2e-upgrade.yaml | 490 --------------- .github/workflows/tests-ipsec-upgrade.yaml | 388 ------------ .github/workflows/tests-l4lb.yaml | 145 ----- .github/workflows/tests-smoke-ipv6.yaml | 174 ------ .github/workflows/tests-smoke.yaml | 205 ------- .../workflows/update-label-backport-pr.yaml | 49 -- 50 files changed, 10976 deletions(-) delete mode 100644 .github/workflows/ariane-scheduled.yaml delete mode 100644 .github/workflows/build-images-base.yaml delete mode 100644 .github/workflows/build-images-beta.yaml delete mode 100644 .github/workflows/build-images-ci.yaml delete mode 100644 .github/workflows/build-images-docs-builder.yaml delete mode 100644 .github/workflows/build-images-hotfixes.yaml delete mode 100644 .github/workflows/ci-images-cache-cleaner.yaml delete mode 100644 .github/workflows/ci-images-garbage-collect.yaml delete mode 100644 .github/workflows/close-stale-issues.yaml delete mode 100644 .github/workflows/conformance-aks.yaml delete mode 100644 .github/workflows/conformance-aws-cni.yaml delete mode 100644 .github/workflows/conformance-clustermesh.yaml delete mode 100644 .github/workflows/conformance-e2e.yaml delete mode 100644 .github/workflows/conformance-eks.yaml delete mode 100644 .github/workflows/conformance-externalworkloads.yaml delete mode 100644 .github/workflows/conformance-gateway-api.yaml delete mode 100644 .github/workflows/conformance-ginkgo.yaml delete mode 100644 .github/workflows/conformance-gke.yaml delete mode 100644 .github/workflows/conformance-ingress.yaml delete mode 100644 .github/workflows/conformance-ipsec-e2e.yaml delete mode 100644 .github/workflows/conformance-k8s-kind-network-policies.yaml delete mode 100644 .github/workflows/conformance-k8s-kind.yaml delete mode 100644 .github/workflows/conformance-k8s-network-policies.yaml delete mode 100644 .github/workflows/conformance-kind-proxy-daemonset.yaml delete mode 100644 .github/workflows/conformance-multi-pool.yaml delete mode 100644 .github/workflows/conformance-runtime.yaml delete mode 100644 .github/workflows/container-scan.yaml delete mode 100644 .github/workflows/documentation.yaml delete mode 100644 .github/workflows/external-contribution-labeler.yaml delete mode 100644 .github/workflows/integration-test.yaml delete mode 100644 .github/workflows/lint-bpf-checks.yaml delete mode 100644 .github/workflows/lint-build-commits.yaml delete mode 100644 .github/workflows/lint-codeowners.yaml delete mode 100644 .github/workflows/lint-codeql.yaml delete mode 100644 .github/workflows/lint-go.yaml delete mode 100644 .github/workflows/lint-images-base.yaml delete mode 100644 .github/workflows/lint-workflows.yaml delete mode 100644 .github/workflows/needs-more-info.yaml delete mode 100644 .github/workflows/push-chart-ci.yaml delete mode 100644 .github/workflows/scale-test-100-gce.yaml delete mode 100644 .github/workflows/scale-test-node-throughput-gce.yaml delete mode 100644 .github/workflows/tests-cifuzz.yaml delete mode 100644 .github/workflows/tests-clustermesh-upgrade.yaml delete mode 100644 .github/workflows/tests-datapath-verifier.yaml delete mode 100644 .github/workflows/tests-e2e-upgrade.yaml delete mode 100644 .github/workflows/tests-ipsec-upgrade.yaml delete mode 100644 .github/workflows/tests-l4lb.yaml delete mode 100644 .github/workflows/tests-smoke-ipv6.yaml delete mode 100644 .github/workflows/tests-smoke.yaml delete mode 100644 .github/workflows/update-label-backport-pr.yaml diff --git a/.github/workflows/ariane-scheduled.yaml b/.github/workflows/ariane-scheduled.yaml deleted file mode 100644 index 2b24199f9ffeb..0000000000000 --- a/.github/workflows/ariane-scheduled.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: Ariane scheduled workflows - -on: - # Run every 6 hours - schedule: - - cron: '0 */6 * * *' - -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To trigger workflows via workflow_dispatch - actions: write - -jobs: - ariane-scheduled: - name: Run Scheduled Workflows - strategy: - fail-fast: false - matrix: - branch: - - "1.12" - - "1.13" - - "1.14" - runs-on: ubuntu-latest - steps: - - name: Checkout branch - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: v${{ matrix.branch }} - persist-credentials: false - - - name: Manually run Ariane workflows from the branch - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - BRANCH="${{ matrix.branch }}" - REF="v${BRANCH}" - SHA=$(git rev-parse ${REF}) - readarray workflows < <(TRIGGER="/test-backport-${BRANCH}" yq '.triggers[env(TRIGGER)].workflows[]' .github/ariane-config.yaml) - - for workflow in ${workflows[@]}; do - echo triggering ${workflow} - gh workflow run ${workflow} \ - --ref ${REF} \ - -f PR-number=${REF/./-} \ - -f context-ref=${REF} \ - -f SHA=${SHA} - done diff --git a/.github/workflows/build-images-base.yaml b/.github/workflows/build-images-base.yaml deleted file mode 100644 index 48af15234442e..0000000000000 --- a/.github/workflows/build-images-base.yaml +++ /dev/null @@ -1,298 +0,0 @@ -name: Base Image Release Build - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - paths: - - images/runtime/** - - images/builder/** - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -jobs: - build-and-push: - name: Build and Push Images - timeout-minutes: 45 - environment: release-base-images - runs-on: ubuntu-22.04 - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - - - name: Install Cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set-up git - run: | - git config user.name "Cilium Imagebot" - git config user.email "noreply@cilium.io" - - - name: Generating image tag for Cilium-Runtime - id: runtime-tag - run: | - echo tag="$(git ls-tree --full-tree HEAD -- ./images/runtime | awk '{ print $3 }')" >> $GITHUB_OUTPUT - - - name: Checking if tag for Cilium-Runtime already exists - id: cilium-runtime-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Login to quay.io - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }} - password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }} - - - name: Release build cilium-runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_release_runtime - with: - provenance: false - context: ./images/runtime - file: ./images/runtime/Dockerfile - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} - - - name: Sign Container Image Runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }} - - - name: Install Bom - shell: bash - env: - # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.5.1 - run: | - curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom - sudo mv ./bom /usr/local/bin/bom - sudo chmod +x /usr/local/bin/bom - - - name: Generate SBOM - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - shell: bash - # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed - # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479 - run: | - bom generate -o sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }} - - - name: Attach SBOM to Container Image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign attach sbom --sbom sbom_cilium-runtime_${{ steps.runtime-tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${{ steps.docker_build_release_runtime.outputs.digest }} - - - name: Sign SBOM Image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - docker_build_release_runtime_digest="${{ steps.docker_build_release_runtime.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${docker_build_release_runtime_digest/:/-}.sbom" - docker_build_release_runtime_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime@${docker_build_release_runtime_sbom_digest}" - - - name: Image Release Digest Runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - shell: bash - run: | - mkdir -p image-digest/ - echo "## cilium-runtime" > image-digest/cilium-runtime.txt - echo "" >> image-digest/cilium-runtime.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}\`" >> image-digest/cilium-runtime.txt - echo "" >> image-digest/cilium-runtime.txt - - - name: Upload artifact digests runtime - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: image-digest cilium-runtime - path: image-digest - retention-days: 1 - - - name: Update Runtime Image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}" - git commit -sam "images: update cilium-{runtime,builder}" - - - name: Generating image tag for Cilium-Builder - id: builder-tag - run: | - echo tag="$(git ls-tree --full-tree HEAD -- ./images/builder | awk '{ print $3 }')" >> $GITHUB_OUTPUT - - - name: Checking if tag for Cilium-Builder already exists - id: cilium-builder-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Login to quay.io - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' && steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_BASE_RELEASE_USERNAME }} - password: ${{ secrets.QUAY_BASE_RELEASE_PASSWORD }} - - - name: Release build cilium-builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_release_builder - with: - provenance: false - context: ./images/builder - file: ./images/builder/Dockerfile - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} - - - name: Sign Container Image Builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }} - - - name: Generate SBOM - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - shell: bash - # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed - # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479 - run: | - bom generate -o sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }} - - - name: Attach SBOM to Container Image - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - cosign attach sbom --sbom sbom_cilium-builder_${{ steps.builder-tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${{ steps.docker_build_release_builder.outputs.digest }} - - - name: Sign SBOM Image - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - docker_build_release_builder_digest="${{ steps.docker_build_release_builder.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${docker_build_release_builder_digest/:/-}.sbom" - docker_build_release_builder_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder@${docker_build_release_builder_sbom_digest}" - - - name: Image Release Digest Builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - shell: bash - run: | - mkdir -p image-digest/ - echo "## cilium-builder" > image-digest/cilium-builder.txt - echo "" >> image-digest/cilium-builder.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}\`" >> image-digest/cilium-builder.txt - echo "" >> image-digest/cilium-builder.txt - - - name: Upload artifact digests builder - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: image-digest cilium-builder - path: image-digest - retention-days: 1 - - - name: Update Runtime Images - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - images/runtime/update-cilium-runtime-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-runtime:${{ steps.runtime-tag.outputs.tag }}@${{ steps.docker_build_release_runtime.outputs.digest }}" - - - name: Update Builder Images - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - images/builder/update-cilium-builder-image.sh "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-builder:${{ steps.builder-tag.outputs.tag }}@${{ steps.docker_build_release_builder.outputs.digest }}" - - - name: Commit changes by amending previous commit - # Run this step in case we have committed the cilium-runtime changes before - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - run: | - git commit --amend -sam "images: update cilium-{runtime,builder}" - - - name: Commit changes - # Run this step in case we have NOT committed the cilium-runtime changes before - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists != 'false' && steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - git commit -sam "images: update cilium-{runtime,builder}" - - - name: Get token - if: ${{ steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' || steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' }} - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }} - APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }} - - - name: Push changes into PR - env: - REF: ${{ github.event.pull_request.head.ref }} - if: ${{ steps.cilium-runtime-tag-in-repositories.outputs.exists == 'false' || steps.cilium-builder-tag-in-repositories.outputs.exists == 'false' }} - run: | - git diff HEAD^ - git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.QUAY_ORGANIZATION }}/cilium.git HEAD:"$REF" - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - path: image-digest/ - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-beta.yaml b/.github/workflows/build-images-beta.yaml deleted file mode 100644 index fd750c1bcb234..0000000000000 --- a/.github/workflows/build-images-beta.yaml +++ /dev/null @@ -1,182 +0,0 @@ -name: Beta Image Release Build - -on: - workflow_dispatch: - inputs: - tag: - description: 'Docker Image Tag' - required: true - suffix: - description: 'Docker Image Suffix (e.g. "beta" -> "cilium-beta")' - required: true - default: "beta" - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -jobs: - build-and-push: - timeout-minutes: 45 - name: Build and Push Images - environment: release-beta-images - runs-on: ubuntu-22.04 - strategy: - matrix: - include: - - name: cilium - dockerfile: ./images/cilium/Dockerfile - - - name: operator - dockerfile: ./images/operator/Dockerfile - - - name: operator-aws - dockerfile: ./images/operator/Dockerfile - - - name: operator-azure - dockerfile: ./images/operator/Dockerfile - - - name: operator-alibabacloud - dockerfile: ./images/operator/Dockerfile - - - name: operator-generic - dockerfile: ./images/operator/Dockerfile - - - name: hubble-relay - dockerfile: ./images/hubble-relay/Dockerfile - - - name: clustermesh-apiserver - dockerfile: ./images/clustermesh-apiserver/Dockerfile - - - name: docker-plugin - dockerfile: ./images/cilium-docker-plugin/Dockerfile - - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - - name: Login to quay.io - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_BETA_USERNAME }} - password: ${{ secrets.QUAY_BETA_PASSWORD }} - - - name: Getting image tag - id: tag - run: | - echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT - - - name: Checking if tag already exists - id: tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} &>/dev/null; then - echo "Tag already exists!" - exit 1 - fi - - - name: Checkout Source Code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_release - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Install Cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - - - name: Sign Container Image - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }} - - - name: Install Bom - shell: bash - env: - # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.5.1 - run: | - curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom - sudo mv ./bom /usr/local/bin/bom - sudo chmod +x /usr/local/bin/bom - - - name: Generate SBOM - shell: bash - # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed - # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479 - run: | - bom generate -o sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }} - - - name: Attach SBOM to Container Image - run: | - cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ github.event.inputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${{ steps.docker_build_release.outputs.digest }} - - - name: Sign SBOM Image - run: | - docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${docker_build_release_digest/:/-}.sbom" - docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}@${docker_build_release_sbom_digest}" - - - name: Image Release Digest - shell: bash - run: | - mkdir -p image-digest/ - echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-${{ github.event.inputs.suffix }}:${{ github.event.inputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: image-digest ${{ matrix.name }} - path: image-digest - retention-days: 1 - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - path: image-digest/ - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-ci.yaml b/.github/workflows/build-images-ci.yaml deleted file mode 100644 index 11d5def71af1a..0000000000000 --- a/.github/workflows/build-images-ci.yaml +++ /dev/null @@ -1,454 +0,0 @@ -name: Image CI Build - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - push: - branches: - - main - - ft/main/** - - # If the cache was cleaned we should re-build the cache with the latest commit - workflow_run: - workflows: - - "Image CI Cache Cleaner" - branches: - - main - - ft/main/** - types: - - completed - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - build-and-push-prs: - timeout-minutes: 45 - name: Build and Push Images - runs-on: ubuntu-22.04 - strategy: - matrix: - include: - - name: cilium - dockerfile: ./images/cilium/Dockerfile - - - name: operator-aws - dockerfile: ./images/operator/Dockerfile - - - name: operator-azure - dockerfile: ./images/operator/Dockerfile - - - name: operator-alibabacloud - dockerfile: ./images/operator/Dockerfile - - - name: operator-generic - dockerfile: ./images/operator/Dockerfile - - - name: hubble-relay - dockerfile: ./images/hubble-relay/Dockerfile - - - name: clustermesh-apiserver - dockerfile: ./images/clustermesh-apiserver/Dockerfile - - - name: docker-plugin - dockerfile: ./images/cilium-docker-plugin/Dockerfile - - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - - name: Login to quay.io for CI - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_USERNAME_CI }} - password: ${{ secrets.QUAY_PASSWORD_CI }} - - - name: Getting image tag - id: tag - run: | - if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then - echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT - else - echo tag=${{ github.sha }} >> $GITHUB_OUTPUT - fi - if [ "${{ github.ref_name }}" == "${{ github.event.repository.default_branch }}" ]; then - echo floating_tag=latest >> $GITHUB_OUTPUT - else - echo floating_tag=${{ github.ref_name }} >> $GITHUB_OUTPUT - fi - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - ref: ${{ steps.tag.outputs.tag }} - - # Load Golang cache build from GitHub - - name: Load ${{ matrix.name }} Golang cache build from GitHub - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - id: cache - with: - path: /tmp/.cache/${{ matrix.name }} - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}- - ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}- - ${{ runner.os }}-go- - - - name: Create ${{ matrix.name }} cache directory - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.cache/${{ matrix.name }} - - # Import GitHub's cache build to docker cache - - name: Copy ${{ matrix.name }} Golang cache to docker cache - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - with: - provenance: false - context: /tmp/.cache/${{ matrix.name }} - file: ./images/cache/Dockerfile - push: false - platforms: linux/amd64 - target: import-cache - - - name: Install Cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - - - name: Install Bom - shell: bash - env: - # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.5.1 - run: | - curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom - sudo mv ./bom /usr/local/bin/bom - sudo chmod +x /usr/local/bin/bom - - # main branch pushes - - name: CI Build ${{ matrix.name }} - if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_ci_main - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - # Only push when the event name was a GitHub push, this is to avoid - # re-pushing the image tags when we only want to re-create the Golang - # docker cache after the workflow "Image CI Cache Cleaner" was terminated. - push: ${{ github.event_name == 'push' }} - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }} - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: CI race detection Build ${{ matrix.name }} - if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_ci_main_detect_race_condition - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - # Only push when the event name was a GitHub push, this is to avoid - # re-pushing the image tags when we only want to re-create the Golang - # docker cache after the workflow "Image CI Cache Cleaner" was terminated. - push: ${{ github.event_name == 'push' }} - platforms: linux/amd64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race - target: release - build-args: | - BASE_IMAGE=quay.io/cilium/cilium-runtime:abf6badae18e61009c5d8ae69f3b87866259a470@sha256:d06d8a35e05314bfbf31349ffcca5751dc9678ab463ed1a4376732a1b16bd77e - LOCKDEBUG=1 - RACE=1 - OPERATOR_VARIANT=${{ matrix.name }} - - - name: CI Unstripped Binaries Build ${{ matrix.name }} - if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref_name, 'ft/') }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_ci_main_unstripped - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - # Only push when the event name was a GitHub push, this is to avoid - # re-pushing the image tags when we only want to re-create the Golang - # docker cache after the workflow "Image CI Cache Cleaner" was terminated. - push: ${{ github.event_name == 'push' }} - platforms: linux/amd64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped - target: release - build-args: | - NOSTRIP=1 - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Sign Container Images - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci_main*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main_detect_race_condition.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main_unstripped.outputs.digest }} - - - name: Generate SBOM - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci_main*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - shell: bash - # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed - # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479 - run: | - bom generate -o sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} - bom generate -o sbom_ci_main_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race - bom generate -o sbom_ci_main_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped - - - name: Attach SBOM to Container Images - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci_main*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - run: | - cosign attach sbom --sbom sbom_ci_main_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} - cosign attach sbom --sbom sbom_ci_main_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main_detect_race_condition.outputs.digest }} - cosign attach sbom --sbom sbom_ci_main_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main_unstripped.outputs.digest }} - - - name: Sign SBOM Images - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci_main*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - run: | - docker_build_ci_main_digest="${{ steps.docker_build_ci_main.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_main_digest/:/-}.sbom" - docker_build_ci_main_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_main_sbom_digest}" - - docker_build_ci_main_detect_race_condition_digest="${{ steps.docker_build_ci_main_detect_race_condition.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_main_detect_race_condition_digest/:/-}.sbom" - docker_build_ci_main_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_main_detect_race_condition_sbom_digest}" - - docker_build_ci_main_unstripped_digest="${{ steps.docker_build_ci_main_unstripped.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_main_unstripped_digest/:/-}.sbom" - docker_build_ci_main_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_main_unstripped_sbom_digest}" - - - name: CI Image Releases digests - # Only sign when the event name was a GitHub push and not workflow_run (re-building cache). - # In this case the image wasn't pushed, therefore it's not necessary to execute this step too. - # It would even fail because `steps.docker_build_ci_main*.outputs.digest` isn't set in case - # neither push nor load are set in the docker/build-push-action action. - if: ${{ github.event_name == 'push' && !startsWith(github.ref_name, 'ft/') }} - shell: bash - run: | - mkdir -p image-digest/ - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}@${{ steps.docker_build_ci_main.outputs.digest }}" > image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-race@${{ steps.docker_build_ci_main_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.floating_tag }}-unstripped@${{ steps.docker_build_ci_main_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_main.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_main_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_main_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - - # PR or feature branch updates - - name: CI Build ${{ matrix.name }} - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_ci_pr - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: CI race detection Build ${{ matrix.name }} - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_ci_pr_detect_race_condition - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race - target: release - build-args: | - BASE_IMAGE=quay.io/cilium/cilium-runtime:abf6badae18e61009c5d8ae69f3b87866259a470@sha256:d06d8a35e05314bfbf31349ffcca5751dc9678ab463ed1a4376732a1b16bd77e - LOCKDEBUG=1 - RACE=1 - OPERATOR_VARIANT=${{ matrix.name }} - - - name: CI Unstripped Binaries Build ${{ matrix.name }} - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_ci_pr_unstripped - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped - target: release - build-args: | - NOSTRIP=1 - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Sign Container Images - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }} - - - name: Generate SBOM - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - shell: bash - # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed - # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479 - run: | - bom generate -o sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} - bom generate -o sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race - bom generate -o sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped - - - name: Attach SBOM to Container Images - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - run: | - cosign attach sbom --sbom sbom_ci_pr_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr.outputs.digest }} - cosign attach sbom --sbom sbom_ci_pr_race_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }} - cosign attach sbom --sbom sbom_ci_pr_unstripped_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }} - - - name: Sign SBOM Images - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - run: | - docker_build_ci_pr_digest="${{ steps.docker_build_ci_pr.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_digest/:/-}.sbom" - docker_build_ci_pr_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_sbom_digest}" - - docker_build_ci_pr_detect_race_condition_digest="${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_detect_race_condition_digest/:/-}.sbom" - docker_build_ci_pr_detect_race_condition_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_detect_race_condition_sbom_digest}" - - docker_build_ci_pr_unstripped_digest="${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_ci_pr_unstripped_digest/:/-}.sbom" - docker_build_ci_pr_unstripped_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_ci_pr_unstripped_sbom_digest}" - - - name: CI Image Releases digests - if: ${{ github.event_name == 'pull_request_target' || (github.event_name == 'push' && startsWith(github.ref_name, 'ft/')) }} - shell: bash - run: | - mkdir -p image-digest/ - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - echo "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-unstripped@${{ steps.docker_build_ci_pr_unstripped.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: image-digest ${{ matrix.name }} - path: image-digest - retention-days: 1 - - # Store docker's golang's cache build locally only on the main branch - - name: Store ${{ matrix.name }} Golang cache build locally - if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - with: - provenance: false - context: . - file: ./images/cache/Dockerfile - push: false - outputs: type=local,dest=/tmp/docker-cache-${{ matrix.name }} - platforms: linux/amd64 - target: export-cache - - # Store docker's golang's cache build locally only on the main branch - - name: Store ${{ matrix.name }} Golang cache in GitHub cache path - if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.cache/${{ matrix.name }}/ - if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz ]; then - cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ - fi - if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz ]; then - cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ - fi - - image-digests: - if: ${{ always() }} - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push-prs - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - path: image-digest/ - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-docs-builder.yaml b/.github/workflows/build-images-docs-builder.yaml deleted file mode 100644 index b2cce98fb59f3..0000000000000 --- a/.github/workflows/build-images-docs-builder.yaml +++ /dev/null @@ -1,180 +0,0 @@ -name: Docs-builder Image Build - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - paths: - - Documentation/Dockerfile - - Documentation/requirements.txt - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -jobs: - build-and-push: - name: Build and Push Image - runs-on: ubuntu-22.04 - timeout-minutes: 30 - environment: docs-builder - outputs: - tag: ${{ steps.docs-builder-tag.outputs.tag }} - digest: ${{ steps.docker-build-docs-builder.outputs.digest }} - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set environment variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - - - name: Generate image tag for docs-builder - id: docs-builder-tag - run: | - echo tag="$(git ls-tree --full-tree HEAD -- ./Documentation | awk '{ print $3 }')" >> $GITHUB_OUTPUT - - - name: Check if tag for docs-builder already exists - id: docs-builder-tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ steps.docs-builder-tag.outputs.tag }} &>/dev/null; then - echo exists="true" >> $GITHUB_OUTPUT - else - echo exists="false" >> $GITHUB_OUTPUT - fi - - - name: Login to quay.io - if: ${{ steps.docs-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_DOCS_BUILDER_USERNAME }} - password: ${{ secrets.QUAY_DOCS_BUILDER_PASSWORD }} - logout: true - - - name: Build docs-builder image - if: ${{ steps.docs-builder-tag-in-repositories.outputs.exists == 'false' }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker-build-docs-builder - with: - provenance: false - context: ./Documentation - file: ./Documentation/Dockerfile - push: true - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ steps.docs-builder-tag.outputs.tag }} - - # Use a separate job for the steps below, to ensure we're no longer logged - # into Quay.io. - update-pr: - name: Update Pull Request with new image reference - needs: build-and-push - if: needs.build-and-push.outputs.digest - runs-on: ubuntu-22.04 - timeout-minutes: 10 - environment: docs-builder - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set environment variables - uses: ./.github/actions/set-env-variables - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - - - name: Set up git - run: | - git config user.name "Cilium Imagebot" - git config user.email "noreply@cilium.io" - - - name: Update docs-builder image reference in CI workflow - run: | - NEW_IMAGE="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ needs.build-and-push.outputs.tag }}@${{ needs.build-and-push.outputs.digest }}" - # Run in Docker to prevent the script from accessing the environment. - docker run --rm -v $PWD:/cilium -w /cilium "${NEW_IMAGE}" \ - bash -c "git config --global --add safe.directory /cilium && \ - /cilium/Documentation/update-docs-builder-image.sh ${NEW_IMAGE}" - git commit -sam "ci: update docs-builder" - - - name: Get token - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.AUTO_COMMITTER_PEM }} - APP_ID: ${{ secrets.AUTO_COMMITTER_APP_ID }} - - - name: Push changes into PR - env: - REF: ${{ github.event.pull_request.head.ref }} - run: | - git diff HEAD^ - git push https://x-access-token:${{ steps.get_token.outputs.app_token }}@github.com/${{ env.QUAY_ORGANIZATION }}/cilium.git HEAD:"$REF" - - image-digest: - name: Retrieve and display image digest - needs: build-and-push - if: needs.build-and-push.outputs.digest - runs-on: ubuntu-22.04 - timeout-minutes: 10 - steps: - - name: Checkout default branch (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set environment variables - uses: ./.github/actions/set-env-variables - - - name: Retrieve image digest - shell: bash - run: | - NEW_IMAGE="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docs-builder:${{ needs.build-and-push.outputs.tag }}@${{ needs.build-and-push.outputs.digest }}" - mkdir -p image-digest/ - echo "## docs-builder" > image-digest/docs-builder.txt - echo "" >> image-digest/docs-builder.txt - echo "\`${NEW_IMAGE}\`" >> image-digest/docs-builder.txt - echo "" >> image-digest/docs-builder.txt - - - name: Upload artifact digests - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: image-digest docs-builder - path: image-digest - retention-days: 1 - - - name: Output image digest - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/build-images-hotfixes.yaml b/.github/workflows/build-images-hotfixes.yaml deleted file mode 100644 index 061adc9d64b3a..0000000000000 --- a/.github/workflows/build-images-hotfixes.yaml +++ /dev/null @@ -1,185 +0,0 @@ -name: Hot Fix Image Release Build - -on: - push: - branches: - - hf/main/** - -permissions: - # To be able to access the repository with `actions/checkout` - contents: read - # Required to generate OIDC tokens for `sigstore/cosign-installer` authentication - id-token: write - -jobs: - build-and-push: - timeout-minutes: 45 - name: Build and Push Images - environment: release-developer-images - runs-on: ubuntu-22.04 - strategy: - matrix: - include: - - name: cilium - dockerfile: ./images/cilium/Dockerfile - - - name: operator - dockerfile: ./images/operator/Dockerfile - - - name: operator-aws - dockerfile: ./images/operator/Dockerfile - - - name: operator-azure - dockerfile: ./images/operator/Dockerfile - - - name: operator-alibabacloud - dockerfile: ./images/operator/Dockerfile - - - name: operator-generic - dockerfile: ./images/operator/Dockerfile - - - name: hubble-relay - dockerfile: ./images/hubble-relay/Dockerfile - - - name: clustermesh-apiserver - dockerfile: ./images/clustermesh-apiserver/Dockerfile - - - name: docker-plugin - dockerfile: ./images/cilium-docker-plugin/Dockerfile - - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - - name: Login to quay.io - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: quay.io - username: ${{ secrets.QUAY_DEVELOPER_USERNAME }} - password: ${{ secrets.QUAY_DEVELOPER_PASSWORD }} - - - name: Getting image tag - id: tag - run: | - echo tag=${GITHUB_REF##*/} >> $GITHUB_OUTPUT - - - name: Checking if tag already exists - id: tag-in-repositories - shell: bash - run: | - if docker buildx imagetools inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} &>/dev/null; then - echo "Tag already exists!" - exit 1 - fi - - - name: Checkout Source Code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - name: Release Build ${{ matrix.name }} - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - id: docker_build_release - with: - provenance: false - context: . - file: ${{ matrix.dockerfile }} - push: true - platforms: linux/amd64,linux/arm64 - tags: | - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} - quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }} - target: release - build-args: | - OPERATOR_VARIANT=${{ matrix.name }} - - - name: Install Cosign - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - - - name: Sign Container Image - run: | - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }} - cosign sign -y quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }} - - - name: Install Bom - shell: bash - env: - # renovate: datasource=github-releases depName=kubernetes-sigs/bom - BOM_VERSION: v0.5.1 - run: | - curl -L https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux -o bom - sudo mv ./bom /usr/local/bin/bom - sudo chmod +x /usr/local/bin/bom - - - name: Generate SBOM - shell: bash - # To-Do: generate SBOM from source after https://github.com/kubernetes-sigs/bom/issues/202 is fixed - # To-Do: format SBOM output to json after cosign v2.0 is released with https://github.com/sigstore/cosign/pull/2479 - run: | - bom generate -o sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx \ - --image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }} - - - name: Attach SBOM to Container Images - run: | - cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${{ steps.docker_build_release.outputs.digest }} - cosign attach sbom --sbom sbom_${{ matrix.name }}_${{ steps.tag.outputs.tag }}.spdx quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${{ steps.docker_build_release.outputs.digest }} - - - name: Sign SBOM Image - run: | - docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${docker_build_release_digest/:/-}.sbom" - docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev@${docker_build_release_sbom_digest}" - - docker_build_release_digest="${{ steps.docker_build_release.outputs.digest }}" - image_name="quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${docker_build_release_digest/:/-}.sbom" - docker_build_release_sbom_digest="sha256:$(docker buildx imagetools inspect --raw ${image_name} | sha256sum | head -c 64)" - cosign sign -y "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci@${docker_build_release_sbom_digest}" - - - name: Image Release Digest - shell: bash - run: | - mkdir -p image-digest/ - echo "## ${{ matrix.name }}" > image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-dev:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "\`quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/${{ matrix.name }}-ci:${{ github.sha }}@${{ steps.docker_build_release.outputs.digest }}\`" >> image-digest/${{ matrix.name }}.txt - echo "" >> image-digest/${{ matrix.name }}.txt - - # Upload artifact digests - - name: Upload artifact digests - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: image-digest ${{ matrix.name }} - path: image-digest - retention-days: 1 - - image-digests: - name: Display Digests - runs-on: ubuntu-22.04 - needs: build-and-push - steps: - - name: Downloading Image Digests - shell: bash - run: | - mkdir -p image-digest/ - - - name: Download digests of all images built - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - path: image-digest/ - - - name: Image Digests Output - shell: bash - run: | - cd image-digest/ - find -type f | sort | xargs -d '\n' cat diff --git a/.github/workflows/ci-images-cache-cleaner.yaml b/.github/workflows/ci-images-cache-cleaner.yaml deleted file mode 100644 index bbe404f5257c0..0000000000000 --- a/.github/workflows/ci-images-cache-cleaner.yaml +++ /dev/null @@ -1,71 +0,0 @@ -name: Image CI Cache Cleaner - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - schedule: - # Run the GC every Monday at 6am - - cron: "0 6 * * 1" - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - cache-cleaner: - name: Clean Image Cache - runs-on: ubuntu-22.04 - strategy: - matrix: - include: - - name: cilium - - - name: operator-aws - - - name: operator-azure - - - name: operator-alibabacloud - - - name: operator-generic - - - name: hubble-relay - - - name: clustermesh-apiserver - - - name: kvstoremesh - - - name: docker-plugin - - steps: - # Fetch the source code so that we can get the right cache key - - name: Checkout Source Code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - # Load Golang cache build from GitHub - - name: Load ${{ matrix.name }} Golang cache build from GitHub - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - id: cache - with: - path: /tmp/.cache/${{ matrix.name }} - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}- - ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}- - ${{ runner.os }}-go- - - - name: Create ${{ matrix.name }} cache directory - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.cache/${{ matrix.name }} - - # Clean docker's golang's cache - - name: Clean ${{ matrix.name }} Golang cache from GitHub - shell: bash - run: | - rm -f /tmp/.cache/${{ matrix.name }}/go-build-cache.tar.gz - rm -f /tmp/.cache/${{ matrix.name }}/go-pkg-cache.tar.gz diff --git a/.github/workflows/ci-images-garbage-collect.yaml b/.github/workflows/ci-images-garbage-collect.yaml deleted file mode 100644 index b8bbe509773c4..0000000000000 --- a/.github/workflows/ci-images-garbage-collect.yaml +++ /dev/null @@ -1,26 +0,0 @@ -name: Scruffy -on: - workflow_dispatch: - schedule: - # Run the GC every Monday at 9am - - cron: "0 9 * * 1" - -permissions: read-all - -jobs: - scruffy: - if: github.repository_owner == 'cilium' - name: scruffy - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - name: Garbage Collect Images - uses: docker://quay.io/cilium/scruffy:v0.0.3@sha256:ca997451b739cbf03c204cb2523a671c31c61edc606aa5d20dc3560bc7f25bc7 - with: - entrypoint: scruffy - args: --git-repository=./ --stable-branches=origin/main,origin/v1.12,origin/v1.13,origin/v1.14 - env: - QUAY_TOKEN: ${{ secrets.SCRUFFY_QUAY_TOKEN }} diff --git a/.github/workflows/close-stale-issues.yaml b/.github/workflows/close-stale-issues.yaml deleted file mode 100644 index 7dc2ca6bfcacc..0000000000000 --- a/.github/workflows/close-stale-issues.yaml +++ /dev/null @@ -1,45 +0,0 @@ -name: Close stale issues - -on: - schedule: - - cron: "30 1 * * *" - -permissions: - issues: write - pull-requests: write - -jobs: - stale: - name: Close Stale Issues - runs-on: ubuntu-latest - steps: - # https://github.com/marketplace/actions/close-stale-issues - - name: Close stale issues - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 - with: - operations-per-run: 1000 - stale-issue-label: stale - exempt-all-issue-assignees: true - exempt-issue-labels: pinned,security,good-first-issue - - days-before-issue-stale: 60 - stale-issue-message: | - This issue has been automatically marked as stale because it has not - had recent activity. It will be closed if no further activity occurs. - days-before-issue-close: 14 - close-issue-message: | - This issue has not seen any activity since it was marked stale. - Closing. - - stale-pr-label: stale - exempt-pr-labels: pinned,security,good-first-issue - - days-before-pr-stale: 30 - stale-pr-message: | - This pull request has been automatically marked as stale because it - has not had recent activity. It will be closed if no further activity - occurs. Thank you for your contributions. - days-before-pr-close: 14 - close-pr-message: | - This pull request has not seen any activity since it was marked stale. - Closing. diff --git a/.github/workflows/conformance-aks.yaml b/.github/workflows/conformance-aks.yaml deleted file mode 100644 index 2ed5061550b00..0000000000000 --- a/.github/workflows/conformance-aks.yaml +++ /dev/null @@ -1,331 +0,0 @@ -name: Conformance AKS (ci-aks) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 0/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - # Required to generate OIDC tokens for `az` authentication - id-token: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cost_reduction: --node-vm-size Standard_B2s --node-osdisk-size 30 - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/azure" - destination_directory="/tmp/generated/azure" - mkdir -p "${destination_directory}" - - yq -o=json "${work_dir}/k8s-versions.yaml" | jq . > "${destination_directory}/azure.json" - - - name: Generate Matrix - id: set-matrix - run: | - cd /tmp/generated/azure - - if [ "${{ github.event_name }}" == "schedule" ];then - cp azure.json /tmp/matrix.json - else - jq '{ "include": [ .include[] | select(.default) ] }' azure.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - echo "matrix=$(jq -c . < /tmp/matrix.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - runs-on: ubuntu-latest - timeout-minutes: 60 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Override cluster name - run: | - # Extend default name with matrix index to avoid cluster name conflicts - NAME=${{ env.name }}-${{ matrix.index }} - echo "name=${NAME}" >> "$GITHUB_ENV" - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER/./-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --cluster-name=${{ env.name }} \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --helm-set=azure.resourceGroup=${{ env.name }}" - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled \ - --hubble=false --collect-sysdump-on-failure --external-target bing.com --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Login to Azure - uses: azure/login@de95379fe4dadc2defb305917eaa7e5dde727294 # v1.5.1 - with: - creds: ${{ secrets.AZURE_PR_SP_CREDS }} - - - name: Install aks-preview CLI extension - run: | - az extension add --name aks-preview - az extension update --name aks-preview - az version - - - name: Create AKS cluster - run: | - # Create group - az group create \ - --name ${{ env.name }} \ - --location ${{ matrix.location }} \ - --tags usage=${{ github.repository_owner }}-${{ github.event.repository.name }} owner=${{ steps.vars.outputs.owner }} - - # Create AKS cluster - az aks create \ - --resource-group ${{ env.name }} \ - --name ${{ env.name }} \ - --location ${{ matrix.location }} \ - --kubernetes-version ${{ matrix.version }} \ - --network-plugin none \ - --node-count 2 \ - ${{ env.cost_reduction }} \ - --generate-ssh-keys - - - name: Get cluster credentials - run: | - az aks get-credentials \ - --resource-group ${{ env.name }} \ - --name ${{ env.name }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-azure-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Enable Relay - run: | - cilium hubble enable - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait --wait-duration=10m - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}) - 1.xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Clean up Cilium - run: | - pkill -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" || test $? -eq 1 - cilium uninstall - - - name: Create custom IPsec secret - run: | - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="15 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - - name: Install Cilium with encryption - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set encryption.enabled=true \ - --helm-set encryption.type=ipsec - - - name: Enable Relay - run: | - cilium hubble enable - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait --wait-duration=10m - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Run connectivity test with IPSec (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} --force-deploy \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}) - 2.xml" \ - --junit-property github_job_step="Run connectivity test with IPSec (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Clean up AKS - if: ${{ always() }} - run: | - az group delete --name ${{ env.name }} --yes --no-wait - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} diff --git a/.github/workflows/conformance-aws-cni.yaml b/.github/workflows/conformance-aws-cni.yaml deleted file mode 100644 index 46b22e7846891..0000000000000 --- a/.github/workflows/conformance-aws-cni.yaml +++ /dev/null @@ -1,316 +0,0 @@ -name: Conformance AWS-CNI (ci-awscni) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '30 0/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - # renovate: datasource=github-releases depName=eksctl-io/eksctl - eksctl_version: v0.165.0 - # renovate: datasource=github-releases depName=kubernetes/kubernetes - kubectl_version: v1.29.0-rc.1 - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/aws" - destination_directory="/tmp/generated/aws" - mkdir -p "${destination_directory}" - - yq -o=json "${work_dir}/k8s-versions.yaml" | jq . > "${destination_directory}/aws.json" - - - name: Generate Matrix - id: set-matrix - run: | - cd /tmp/generated/aws - - if [ "${{ github.event_name }}" == "schedule" ];then - cp aws.json /tmp/matrix.json - else - jq '{ "include": [ .include[] | select(.default) ] }' aws.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - echo "matrix=$(jq -c . < /tmp/matrix.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - runs-on: ubuntu-latest - timeout-minutes: 45 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER/./-}" - fi - - # Set ipam.mode=cluster-pool to overwrite the ipam value set by the - # cilium-cli which is setting it to 'eni' because it auto-detects - # the cluster as being EKS. - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --cluster-name=${{ env.clusterName }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=enableIPv4Masquerade=false \ - --helm-set=cni.chainingMode=aws-cni \ - --helm-set=eni.enabled=false \ - --helm-set=ipam.mode=cluster-pool \ - --helm-set=routingMode=native \ - --helm-set=bandwidthManager.enabled=false \ - --wait=false" - - # L7 policies are not supported in chaining mode. - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --test '!fqdn,!l7' --external-target amazon.com --external-ip 1.0.0.1 --external-other-ip 1.1.1.1" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Install kubectl - run: | - curl -sLO "https://dl.k8s.io/release/${{ env.kubectl_version }}/bin/linux/amd64/kubectl" - curl -sLO "https://dl.k8s.io/${{ env.kubectl_version }}/bin/linux/amd64/kubectl.sha256" - echo "$(cat kubectl.sha256) kubectl" | sha256sum --check - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - kubectl version --client - - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 - with: - aws-access-key-id: ${{ secrets.AWS_PR_SA_ID }} - aws-secret-access-key: ${{ secrets.AWS_PR_SA_KEY }} - aws-region: ${{ matrix.region }} - - - name: Create EKS cluster - uses: ./.github/actions/setup-eks-cluster - with: - cluster_name: ${{ env.clusterName }} - region: ${{ matrix.region }} - owner: "${{ steps.vars.outputs.owner }}" - version: ${{ matrix.version }} - spot: ${{ github.event_name != 'schedule' }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait --wait-duration=10m - kubectl get pods -n kube-system - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - cleanup: - name: Cleanup EKS Clusters - if: ${{ always() }} - continue-on-error: true - needs: [generate-matrix, installation-and-connectivity] - runs-on: ubuntu-latest - timeout-minutes: 45 - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 - with: - aws-access-key-id: ${{ secrets.AWS_PR_SA_ID }} - aws-secret-access-key: ${{ secrets.AWS_PR_SA_KEY }} - aws-region: ${{ matrix.region }} - - - name: Clean up EKS - run: | - eksctl delete cluster --name ${{ env.clusterName }} --region ${{ matrix.region }} diff --git a/.github/workflows/conformance-clustermesh.yaml b/.github/workflows/conformance-clustermesh.yaml deleted file mode 100644 index 397298ed4a89c..0000000000000 --- a/.github/workflows/conformance-clustermesh.yaml +++ /dev/null @@ -1,488 +0,0 @@ -name: Conformance Cluster Mesh (ci-clustermesh) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - kind_version: v0.20.0 - # renovate: datasource=docker depName=quay.io/cilium/kindest-node - k8s_version: v1.29.0-rc.1 - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - clusterName1: cluster1-${{ github.run_id }} - clusterName2: cluster2-${{ github.run_id }} - contextName1: kind-cluster1-${{ github.run_id }} - contextName2: kind-cluster2-${{ github.run_id }} - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - -jobs: - commit-status-start: - if: ${{ github.event_name != 'push' }} - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - installation-and-connectivity: - name: Installation and Connectivity Test - runs-on: ubuntu-latest - timeout-minutes: 60 - env: - job_name: "Installation and Connectivity Test" - - strategy: - fail-fast: false - matrix: - include: - - name: '1' - tunnel: 'disabled' - ipfamily: 'ipv4' - encryption: 'disabled' - kube-proxy: 'iptables' - kvstoremesh: true - cm-auth-mode-1: 'legacy' - cm-auth-mode-2: 'legacy' - maxConnectedClusters: '255' - - - name: '2' - tunnel: 'disabled' - ipfamily: 'ipv4' - encryption: 'wireguard' - kube-proxy: 'none' - kvstoremesh: false - cm-auth-mode-1: 'migration' - cm-auth-mode-2: 'migration' - maxConnectedClusters: '511' - - # IPsec encryption cannot be used with BPF NodePort. - - name: '3' - tunnel: 'disabled' - ipfamily: 'ipv4' - encryption: 'ipsec' - kube-proxy: 'iptables' - kvstoremesh: true - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - - # IPsec encryption is currently not supported in case of ipv6-only clusters (#23553) - # Wireguard encryption is currently affected by a bug in case of ipv6-only clusters (#23917) - - name: '4' - tunnel: 'disabled' - ipfamily: 'ipv6' - encryption: 'disabled' - kube-proxy: 'none' - kvstoremesh: false - cm-auth-mode-1: 'legacy' - cm-auth-mode-2: 'migration' - maxConnectedClusters: '255' - - # IPsec encryption cannot be used with BPF NodePort. - - name: '5' - tunnel: 'disabled' - ipfamily: 'dual' - encryption: 'ipsec' - kube-proxy: 'iptables' - kvstoremesh: true - cm-auth-mode-1: 'migration' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - - - name: '6' - tunnel: 'vxlan' - ipfamily: 'ipv4' - encryption: 'disabled' - kube-proxy: 'none' - kvstoremesh: false - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '511' - - - name: '7' - tunnel: 'geneve' - ipfamily: 'ipv4' - encryption: 'wireguard' - kube-proxy: 'iptables' - kvstoremesh: true - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - - # IPsec encryption cannot be used with BPF NodePort. - - name: '8' - tunnel: 'vxlan' - ipfamily: 'ipv4' - encryption: 'ipsec' - kube-proxy: 'iptables' - kvstoremesh: false - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - - # Tunneling is currently not supported in case of ipv6-only clusters (#17240) - # - name: '9' - # tunnel: 'vxlan' - # ipfamily: 'ipv6' - # encryption: 'disabled' - # kube-proxy: 'none' - # kvstoremesh: true - # cm-auth-mode-1: 'cluster' - # cm-auth-mode-2: 'cluster' - - - name: '10' - tunnel: 'vxlan' - ipfamily: 'dual' - encryption: 'wireguard' - kube-proxy: 'iptables' - kvstoremesh: false - cm-auth-mode-1: 'cluster' - cm-auth-mode-2: 'cluster' - maxConnectedClusters: '255' - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set up job variables for GHA environment - id: vars - run: | - - # bpf.masquerade is disabled due to #23283 - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=bpf.masquerade=false \ - --helm-set=bpf.monitorAggregation=none \ - --helm-set=hubble.enabled=true \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=clustermesh.useAPIServer=true \ - --helm-set=clustermesh.apiserver.kvstoremesh.enabled=${{ matrix.kvstoremesh }} \ - --helm-set=clustermesh.maxConnectedClusters=${{ matrix.maxConnectedClusters }} \ - " - - CILIUM_INSTALL_TUNNEL="--helm-set=tunnelProtocol=${{ matrix.tunnel }}" - if [ "${{ matrix.tunnel }}" == "disabled" ]; then - CILIUM_INSTALL_TUNNEL="--helm-set-string=routingMode=native \ - --helm-set=autoDirectNodeRoutes=true \ - --helm-set=ipv4NativeRoutingCIDR=10.240.0.0/12 \ - --helm-set=ipv6NativeRoutingCIDR=fd00:10:240::/44" - fi - - case "${{ matrix.ipFamily }}" in - ipv4) - CILIUM_INSTALL_IPFAMILY="--helm-set=ipv4.enabled=true --helm-set=ipv6.enabled=false" - KIND_POD_CIDR_1="10.242.0.0/16" - KIND_SVC_CIDR_1="10.243.0.0/16" - KIND_POD_CIDR_2="10.244.0.0/16" - KIND_SVC_CIDR_2="10.245.0.0/16" - ;; - ipv6) - CILIUM_INSTALL_IPFAMILY="--helm-set=ipv4.enabled=false --helm-set=ipv6.enabled=true" - KIND_POD_CIDR_1="fd00:10:242::/48" - KIND_SVC_CIDR_1="fd00:10:243::/112" - KIND_POD_CIDR_2="fd00:10:244::/48" - KIND_SVC_CIDR_2="fd00:10:245::/112" - ;; - dual) - CILIUM_INSTALL_IPFAMILY="--helm-set=ipv4.enabled=true --helm-set=ipv6.enabled=true" - KIND_POD_CIDR_1="10.242.0.0/16,fd00:10:242::/48" - KIND_SVC_CIDR_1="10.243.0.0/16,fd00:10:243::/112" - KIND_POD_CIDR_2="10.244.0.0/16,fd00:10:244::/48" - KIND_SVC_CIDR_2="10.245.0.0/16,fd00:10:245::/112" - ;; - *) - echo "Unknown IP family '${{ matrix.ipFamily }}'" && false - ;; - esac - - CILIUM_INSTALL_ENCRYPTION="" - if [ "${{ matrix.encryption }}" != "disabled" ]; then - CILIUM_INSTALL_ENCRYPTION="--helm-set=encryption.enabled=true \ - --helm-set=encryption.type=${{ matrix.encryption }}" - fi - - CONNECTIVITY_TEST_DEFAULTS="--hubble=false \ - --flow-validation=disabled \ - --multi-cluster=${{ env.contextName2 }} \ - --external-target=google.com \ - --collect-sysdump-on-failure" - - # Skip external traffic (e.g. 1.1.1.1 and www.google.com) tests as IPv6 is not supported - # in GitHub runners: https://github.com/actions/runner-images/issues/668 - if [[ "${{ matrix.ipFamily }}" == "ipv6" ]]; then - CONNECTIVITY_TEST_DEFAULTS="$CONNECTIVITY_TEST_DEFAULTS \ - --test='!/pod-to-world' \ - --test='!/pod-to-cidr'" - fi - - echo cilium_install_defaults="${CILIUM_INSTALL_DEFAULTS} ${CILIUM_INSTALL_TUNNEL} \ - ${CILIUM_INSTALL_IPFAMILY} ${CILIUM_INSTALL_ENCRYPTION}" >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - echo kind_pod_cidr_1=${KIND_POD_CIDR_1} >> $GITHUB_OUTPUT - echo kind_svc_cidr_1=${KIND_SVC_CIDR_1} >> $GITHUB_OUTPUT - echo kind_pod_cidr_2=${KIND_POD_CIDR_2} >> $GITHUB_OUTPUT - echo kind_svc_cidr_2=${KIND_SVC_CIDR_2} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Generate Kind configuration files - run: | - K8S_VERSION=${{ env.k8s_version }} \ - PODCIDR=${{ steps.vars.outputs.kind_pod_cidr_1 }} \ - SVCCIDR=${{ steps.vars.outputs.kind_svc_cidr_1 }} \ - IPFAMILY=${{ matrix.ipFamily }} \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster1.yaml - - K8S_VERSION=${{ env.k8s_version }} \ - PODCIDR=${{ steps.vars.outputs.kind_pod_cidr_2 }} \ - SVCCIDR=${{ steps.vars.outputs.kind_svc_cidr_2 }} \ - IPFAMILY=${{ matrix.ipFamily }} \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster2.yaml - - - name: Create Kind cluster 1 - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - cluster_name: ${{ env.clusterName1 }} - version: ${{ env.kind_version }} - kubectl_version: ${{ env.k8s_version }} - config: ./.github/kind-config-cluster1.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Create Kind cluster 2 - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - cluster_name: ${{ env.clusterName2 }} - version: ${{ env.kind_version }} - kubectl_version: ${{ env.k8s_version }} - config: ./.github/kind-config-cluster2.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - # Make sure that coredns uses IPv4-only upstream DNS servers also in case of clusters - # with IP family dual, since IPv6 ones are not reachable and cause spurious failures. - - name: Configure the coredns nameservers - if: matrix.ipfamily == 'dual' - run: | - COREDNS_PATCH=" - spec: - template: - spec: - dnsPolicy: None - dnsConfig: - nameservers: - - 8.8.4.4 - - 8.8.8.8 - " - - kubectl --context ${{ env.contextName1 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - kubectl --context ${{ env.contextName2 }} patch deployment -n kube-system coredns --patch="$COREDNS_PATCH" - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Create the IPSec secret in both clusters - if: matrix.encryption == 'ipsec' - run: | - SECRET="3 rfc4106(gcm(aes)) $(openssl rand -hex 20) 128" - kubectl --context ${{ env.contextName1 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - kubectl --context ${{ env.contextName2 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - - - name: Install Cilium in cluster1 - id: install-cilium-cluster1 - run: | - # Explicitly configure the NodePort to make sure that it is different in - # each cluster, to workaround #24692 - cilium --context ${{ env.contextName1 }} install \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.clusterName1 }} \ - --helm-set cluster.id=1 \ - --helm-set clustermesh.apiserver.service.nodePort=32379 \ - --helm-set clustermesh.apiserver.tls.authMode=${{ matrix.cm-auth-mode-1 }} - - - name: Copy the Cilium CA secret to cluster2, as they must match - run: | - kubectl --context ${{ env.contextName1 }} get secret -n kube-system cilium-ca -o yaml | - kubectl --context ${{ env.contextName2 }} create -f - - - - name: Install Cilium in cluster2 - run: | - # Explicitly configure the NodePort to make sure that it is different in - # each cluster, to workaround #24692 - cilium --context ${{ env.contextName2 }} install \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set cluster.name=${{ env.clusterName2 }} \ - --helm-set cluster.id=255 \ - --helm-set clustermesh.apiserver.service.nodePort=32380 \ - --helm-set clustermesh.apiserver.tls.authMode=${{ matrix.cm-auth-mode-2 }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait - cilium --context ${{ env.contextName2 }} clustermesh status --wait - - - name: Connect clusters - run: | - cilium --context ${{ env.contextName1 }} clustermesh connect --destination-context ${{ env.contextName2 }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait - cilium --context ${{ env.contextName2 }} clustermesh status --wait - - - name: Port forward Relay - run: | - cilium --context ${{ env.contextName1 }} hubble port-forward & - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium-cluster1.outcome != 'skipped' }} - run: | - cilium --context ${{ env.contextName1 }} status - cilium --context ${{ env.contextName1 }} clustermesh status - cilium --context ${{ env.contextName2 }} status - cilium --context ${{ env.contextName2 }} clustermesh status - - kubectl config use-context ${{ env.contextName1 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context1-final-${{ join(matrix.*, '-') }} - - kubectl config use-context ${{ env.contextName2 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context2-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - - commit-status-final: - if: ${{ always() && github.event_name != 'push' }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} diff --git a/.github/workflows/conformance-e2e.yaml b/.github/workflows/conformance-e2e.yaml deleted file mode 100644 index a8d4b94d04ec0..0000000000000 --- a/.github/workflows/conformance-e2e.yaml +++ /dev/null @@ -1,383 +0,0 @@ -name: Conformance E2E (ci-e2e) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 5/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - runs-on: ubuntu-latest-4cores-16gb - name: 'Setup & Test' - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - include: - # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - # ! NOTE: keep tests-e2e-upgrade.yaml config in sync ! - # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - - - name: '1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '4.19-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - - - name: '2' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - - - name: '3' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - endpoint-routes: 'true' - - - name: '4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20231124.100406' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '5' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20231124.100406' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'dsr' - endpoint-routes: 'true' - egress-gateway: 'true' - host-fw: 'true' - - - name: '6' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20231026.065108' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - egress-gateway: 'true' - host-fw: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - - - name: '7' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20231128.012937' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'snat' - egress-gateway: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - - - name: '8' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20231128.012937' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'geneve' - endpoint-routes: 'true' - - - name: '9' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20231124.100406' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'false' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '10' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20231124.100406' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'false' - lb-mode: 'dsr' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '11' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20231026.065108' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - - name: '12' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20231128.012937' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - - name: '13' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '4.19-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - misc: 'policyCIDRMatchMode=nodes' - - - timeout-minutes: 60 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - - - name: Derive Cilium installation config and junit type - id: cilium-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - ingress-controller: ${{ matrix.ingress-controller }} - misc: ${{ matrix.misc }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Cilium CLI-cli - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - binary-name: cilium-cli - binary-dir: ./ - - - name: Set Kind params - id: kind-params - shell: bash - run: | - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - echo params="--xdp --secondary-network \"\" 3 \"\" \"\" ${{ matrix.kube-proxy }} $IP_FAM" >> $GITHUB_OUTPUT - - - name: Provision K8s on LVH VM - uses: ./.github/actions/lvh-kind - with: - test-name: e2e-conformance - kernel: ${{ matrix.kernel }} - kind-params: "${{ steps.kind-params.outputs.params }}" - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - shell: bash - run: | - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - - export CILIUM_CLI_MODE=helm - ./cilium-cli install ${{ steps.cilium-config.outputs.config }} - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-server --timeout=300s - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-agent --timeout=300s - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium-dbg status - - mkdir -p cilium-junits - - - name: Run tests - shell: bash - run: | - EXTRA="" - if [ "${{ matrix.secondary-network }}" = "true" ]; then - EXTRA="--secondary-network-iface=eth1" - fi - - ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ matrix.name }}).xml" \ - --junit-property github_job_step="Run tests (${{ matrix.name }})" \ - $EXTRA - - - name: Fetch artifacts - if: ${{ !success() && steps.run-tests.outcome != 'skipped' }} - shell: bash - run: | - kubectl get pods --all-namespaces -o wide - ./cilium-cli status - mkdir -p cilium-sysdumps - ./cilium-cli sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - # To debug https://github.com/cilium/cilium/issues/26062 - head -n -0 /proc/buddyinfo /proc/pagetypeinfo - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/conformance-eks.yaml b/.github/workflows/conformance-eks.yaml deleted file mode 100644 index 43d7c0862d97c..0000000000000 --- a/.github/workflows/conformance-eks.yaml +++ /dev/null @@ -1,346 +0,0 @@ -name: Conformance EKS (ci-eks) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 1/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - # renovate: datasource=github-releases depName=eksctl-io/eksctl - eksctl_version: v0.165.0 - # renovate: datasource=github-releases depName=kubernetes/kubernetes - kubectl_version: v1.29.0-rc.1 - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/aws" - destination_directory="/tmp/generated/aws" - mkdir -p "${destination_directory}" - - yq -o=json "${work_dir}/k8s-versions.yaml" | jq . > "${destination_directory}/aws.json" - - - name: Generate Matrix - id: set-matrix - run: | - cd /tmp/generated/aws - - if [ "${{ github.event_name }}" == "schedule" ];then - cp aws.json /tmp/matrix.json - else - jq '{ "include": [ .include[] | select(.default) ] }' aws.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - echo "matrix=$(jq -c . < /tmp/matrix.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - runs-on: ubuntu-latest - timeout-minutes: 75 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER/./-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --cluster-name=${{ env.clusterName }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --helm-set=bpf.monitorAggregation=none \ - --wait=false" - - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target amazon.com" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Install kubectl - run: | - curl -sLO "https://dl.k8s.io/release/${{ env.kubectl_version }}/bin/linux/amd64/kubectl" - curl -sLO "https://dl.k8s.io/${{ env.kubectl_version }}/bin/linux/amd64/kubectl.sha256" - echo "$(cat kubectl.sha256) kubectl" | sha256sum --check - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - kubectl version --client - - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 - with: - aws-access-key-id: ${{ secrets.AWS_PR_SA_ID }} - aws-secret-access-key: ${{ secrets.AWS_PR_SA_KEY }} - aws-region: ${{ matrix.region }} - - - name: Create EKS cluster - uses: ./.github/actions/setup-eks-cluster - with: - cluster_name: ${{ env.clusterName }} - region: ${{ matrix.region }} - owner: "${{ steps.vars.outputs.owner }}" - version: ${{ matrix.version }} - spot: ${{ github.event_name != 'schedule' }} - - # This is a workaround for flake #16938. - - name: Remove AWS-CNI - run: | - kubectl -n kube-system delete daemonset aws-node - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-aws-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait --wait-duration=10m - kubectl get pods -n kube-system - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}) - 1.xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Clean up Cilium - run: | - pkill -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" || test $? -eq 1 - cilium uninstall --wait - - - name: Create custom IPsec secret - run: | - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="15 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - - name: Install Cilium with encryption - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} \ - --helm-set encryption.enabled=true \ - --helm-set encryption.type=ipsec - - - name: Wait for Cilium to be ready - run: | - cilium status --wait --wait-duration=10m - kubectl get pods -n kube-system - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Run connectivity test with IPSec (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} --force-deploy \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}) - 2.xml" \ - --junit-property github_job_step="Run connectivity test with IPSec (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} - - cleanup: - name: Cleanup EKS Clusters - if: ${{ always() }} - continue-on-error: true - needs: [generate-matrix, installation-and-connectivity] - runs-on: ubuntu-latest - timeout-minutes: 30 - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Install eksctl CLI - run: | - curl -LO "https://github.com/eksctl-io/eksctl/releases/download/${{ env.eksctl_version }}/eksctl_$(uname -s)_amd64.tar.gz" - sudo tar xzvfC eksctl_$(uname -s)_amd64.tar.gz /usr/bin - rm eksctl_$(uname -s)_amd64.tar.gz - - - name: Set up AWS CLI credentials - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 - with: - aws-access-key-id: ${{ secrets.AWS_PR_SA_ID }} - aws-secret-access-key: ${{ secrets.AWS_PR_SA_KEY }} - aws-region: ${{ matrix.region }} - - - name: Clean up EKS - run: | - eksctl delete cluster --name ${{ env.clusterName }} --region ${{ matrix.region }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently diff --git a/.github/workflows/conformance-externalworkloads.yaml b/.github/workflows/conformance-externalworkloads.yaml deleted file mode 100644 index 37233d1998643..0000000000000 --- a/.github/workflows/conformance-externalworkloads.yaml +++ /dev/null @@ -1,351 +0,0 @@ -name: Conformance External Workloads (ci-external-workloads) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 4/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}-vm - vmName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }}-vm - vmStartupScript: .github/gcp-vm-startup.sh - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - USE_GKE_GCLOUD_AUTH_PLUGIN: True - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/gke" - destination_directory="/tmp/generated/gke" - mkdir -p "${destination_directory}" - - yq -o=json ${work_dir}/k8s-versions.yaml | jq . > "${destination_directory}/gke.json" - - - name: Generate Matrix - id: set-matrix - run: | - cd /tmp/generated/gke - - if [ "${{ github.event_name }}" == "schedule" ];then - jq '{ "include": [ .k8s[] ] }' gke.json > /tmp/matrix.json - else - jq '{ "include": [ .k8s[] | select(.default) ] }' gke.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - echo "matrix=$(jq -c . < /tmp/matrix.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - runs-on: ubuntu-latest - timeout-minutes: 45 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER/./-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --cluster-name=${{ env.clusterName }} \ - --datapath-mode=tunnel \ - --helm-set kubeProxyReplacement=strict" - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target google.com --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8" - # Explicitly specify LoadBalancer service type since the default type is NodePort in Helm mode. - # Ref: https://github.com/cilium/cilium-cli/pull/1527#discussion_r1177244379 - # - # In Helm mode, externalWorkloads.enabled is set to false by default. You need to pass - # --enable-external-workloads flag to enable it. - # Ref: https://github.com/cilium/cilium/pull/25259 - CLUSTERMESH_ENABLE_DEFAULTS="--service-type LoadBalancer --enable-external-workloads" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo clustermesh_enable_defaults=${CLUSTERMESH_ENABLE_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0 - with: - credentials_json: '${{ secrets.GCP_PR_SA_KEY }}' - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: "405.0.0" - - - name: Install gke-gcloud-auth-plugin - run: | - gcloud components install gke-gcloud-auth-plugin - - - name: Display gcloud CLI info - run: | - gcloud info - - - name: Create GCP VM - uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0 - with: - retry_on: error - timeout_minutes: 1 - max_attempts: 10 - command: | - gcloud compute instances create ${{ env.vmName }}-${{ matrix.vmIndex }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ matrix.zone }} \ - --machine-type e2-custom-2-4096 \ - --boot-disk-type pd-standard \ - --boot-disk-size 10GB \ - --preemptible \ - --image-project ubuntu-os-cloud \ - --image-family ubuntu-2004-lts \ - --metadata hostname=${{ env.vmName }}-${{ matrix.vmIndex }} \ - --metadata-from-file startup-script=${{ env.vmStartupScript}} - - - name: Create GKE cluster - run: | - gcloud container clusters create ${{ env.clusterName }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ matrix.zone }} \ - --cluster-version ${{ matrix.version }} \ - --enable-ip-alias \ - --node-taints node.cilium.io/agent-not-ready=true:NoExecute \ - --cluster-ipv4-cidr="/21" \ - --services-ipv4-cidr="/24" \ - --image-type COS_CONTAINERD \ - --num-nodes 2 \ - --machine-type e2-custom-2-4096 \ - --disk-type pd-standard \ - --disk-size 20GB \ - --preemptible - - - name: Get cluster credentials - run: | - gcloud container clusters get-credentials ${{ env.clusterName }} --zone ${{ matrix.zone }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium in cluster - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Enable cluster mesh - run: | - cilium clustermesh enable ${{ steps.vars.outputs.clustermesh_enable_defaults }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium clustermesh status --wait - - - name: Add VM to cluster mesh - run: | - cilium clustermesh vm create ${{ env.vmName }}-${{ matrix.vmIndex }} -n default --ipv4-alloc-cidr 10.192.1.0/30 - cilium clustermesh vm status - - - name: Install Cilium on VM - run: | - cilium clustermesh vm install install-external-workload.sh --config debug - gcloud compute scp install-external-workload.sh ${{ env.vmName }}-${{ matrix.vmIndex }}:~/ --zone ${{ matrix.zone }} - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "~/install-external-workload.sh" - sleep 5s - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "sudo cilium-dbg status" - - - name: Verify cluster DNS on VM - # Limit nslookup to the first (global) DNS server setting - run: | - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "nslookup -d2 -retry=10 -timeout=5 -norecurse clustermesh-apiserver.kube-system.svc.cluster.local \$(systemd-resolve --status | grep -m 1 \"Current DNS Server:\" | cut -d':' -f2)" - - - name: Ping clustermesh-apiserver from VM - run: | - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} \ - --command "ping -c 3 \$(sudo cilium-dbg service list get -o jsonpath='{[?(@.spec.flags.name==\"clustermesh-apiserver\")].spec.backend-addresses[0].ip}')" - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ join(matrix.*, ', ') }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ join(matrix.*, ', ') }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - kubectl get cew --all-namespaces -o wide - kubectl get cep --all-namespaces -o wide - cilium status - cilium clustermesh status - cilium clustermesh vm status - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} --command "sudo cilium status" - gcloud compute ssh ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} --command "sudo docker logs cilium --timestamps" - cilium sysdump --output-filename cilium-sysdump-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Clean up GKE cluster and VM - if: ${{ always() }} - run: | - while [ "$(gcloud container operations list --zone ${{ matrix.zone }} --filter="status=RUNNING AND targetLink~${{ env.clusterName }}" --format="value(name)")" ];do - echo "cluster has an ongoing operation, waiting for all operations to finish"; sleep 15 - done - gcloud container clusters delete ${{ env.clusterName }} --zone ${{ matrix.zone }} --quiet --async - gcloud compute instances delete ${{ env.vmName }}-${{ matrix.vmIndex }} --zone ${{ matrix.zone }} --quiet - shell: bash {0} # Disable default fail-fast behavior so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} diff --git a/.github/workflows/conformance-gateway-api.yaml b/.github/workflows/conformance-gateway-api.yaml deleted file mode 100644 index c35da7bae349c..0000000000000 --- a/.github/workflows/conformance-gateway-api.yaml +++ /dev/null @@ -1,300 +0,0 @@ -name: Conformance Gateway API - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - kind_version: v0.20.0 - kind_config: .github/kind-config.yaml - gateway_api_version: v1.0.0 - metallb_version: 0.12.1 - timeout: 5m - -jobs: - commit-status-start: - if: ${{ github.event_name != 'push' }} - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - gateway-api-conformance-test: - name: Gateway API Conformance Test - runs-on: ubuntu-latest - timeout-minutes: 120 - strategy: - fail-fast: false - matrix: - include: - - crd-channel: experimental - conformance-profile: false - - crd-channel: standard - conformance-profile: false - - crd-channel: experimental - conformance-profile: true - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set image tag - id: vars - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - EXEMPT_FEATURES="GatewayPort8080,GatewayStaticAddresses,Mesh" - if [ ${{ matrix.crd-channel }} == "standard" ]; then - EXEMPT_FEATURES+=",HTTPRouteDestinationPortMatching,HTTPRouteRequestTimeout,HTTPRouteBackendTimeout" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=debug.verbose=envoy \ - --helm-set kubeProxyReplacement=true \ - --helm-set=gatewayAPI.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo skipped_tests=${SKIPPED_TESTS} >> $GITHUB_OUTPUT - echo exempt-features=${EXEMPT_FEATURES} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Create kind cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - version: ${{ env.kind_version }} - config: ${{ env.kind_config }} - - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Gateway API CRDs - run: | - # Install Gateway CRDs - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gatewayclasses.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_gateways.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_httproutes.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/${{ matrix.crd-channel }}/gateway.networking.k8s.io_referencegrants.yaml - ## TLSRoute is only available in experimental channel in v0.7.0 - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml - kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/${{ env.gateway_api_version }}/config/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml - - # To make sure that Gateway API CRs are available - kubectl wait --for condition=Established crd/gatewayclasses.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/gateways.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/httproutes.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/tlsroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/grpcroutes.gateway.networking.k8s.io --timeout=${{ env.timeout }} - kubectl wait --for condition=Established crd/referencegrants.gateway.networking.k8s.io --timeout=${{ env.timeout }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Install metallb for LB service - timeout-minutes: 10 - run: | - KIND_NET_CIDR=$(docker network inspect kind -f '{{(index .IPAM.Config 0).Subnet}}') - METALLB_IP_START=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200@") - METALLB_IP_END=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.250@") - METALLB_IP_RANGE="${METALLB_IP_START}-${METALLB_IP_END}" - - cat << EOF > metallb_values.yaml - configInline: - address-pools: - - name: default - protocol: layer2 - addresses: - - ${METALLB_IP_RANGE} - psp: - create: false - EOF - - helm install --namespace metallb-system \ - --create-namespace \ - --repo https://metallb.github.io/metallb metallb metallb \ - --version ${{ env.metallb_version }} \ - --values metallb_values.yaml \ - --wait - - - name: Run simple Gateway API GRPCRoute test (temporary till upstream conformance tests) - timeout-minutes: 10 - run: | - kubectl apply -f examples/kubernetes/gateway/grpc-route.yaml - # Install grpcurl binary - go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest - - # Wait for the deployment - kubectl wait --for=condition=Available --all deployment --timeout=${{ env.timeout }} - lb=$(kubectl get services cilium-gateway-grpc -o json | jq '.status.loadBalancer.ingress[0].ip' | jq -r .) - grpcurl -plaintext -authority=my-grpc-service.foo.com $lb:80 yages.Echo/Ping - curl -s -v --fail $lb/yages.Echo/Ping \ - -XPOST \ - -H 'Host: my-grpc-service.foo.com' \ - -H 'Content-Type: application/grpc-web-text' \ - -H 'Accept: application/grpc-web-text' \ - -d'AAAAAAA=' - - - name: Run Gateway API conformance test - timeout-minutes: 30 - run: | - if [ ${{ matrix.conformance-profile }} == "true" ]; then - GATEWAY_API_CONFORMANCE_TESTS=1 go test \ - -p 4 \ - -v ./operator/pkg/gateway-api \ - --gateway-class cilium \ - --all-features \ - --exempt-features "${{ steps.vars.outputs.exempt-features }}" \ - --conformance-profiles HTTP,TLS \ - --organization cilium \ - --project cilium \ - --url github.com/cilium/cilium \ - --version main \ - --contact https://github.com/cilium/community/blob/main/roles/Maintainers.md \ - --report-output report.yaml \ - -test.run "TestExperimentalConformance" \ - -test.skip "${{ steps.vars.outputs.skipped_tests }}" - else - GATEWAY_API_CONFORMANCE_TESTS=1 go test \ - -p 4 \ - -v ./operator/pkg/gateway-api \ - --gateway-class cilium \ - --all-features \ - --exempt-features "${{ steps.vars.outputs.exempt-features }}" \ - -test.run "TestConformance" \ - -test.skip "${{ steps.vars.outputs.skipped_tests }}" - fi - - - name: Upload report artifacts - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: report.yaml - path: operator/pkg/gateway-api/report.yaml - retention-days: 5 - if-no-files-found: ignore - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip - retention-days: 5 - - commit-status-final: - if: ${{ always() && github.event_name != 'push' }} - name: Commit Status Final - needs: gateway-api-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.gateway-api-conformance-test.result }} diff --git a/.github/workflows/conformance-ginkgo.yaml b/.github/workflows/conformance-ginkgo.yaml deleted file mode 100644 index 463e591a34f8f..0000000000000 --- a/.github/workflows/conformance-ginkgo.yaml +++ /dev/null @@ -1,485 +0,0 @@ -name: Conformance Ginkgo (ci-ginkgo) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 1/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - -jobs: - setup-vars: - name: Setup Vars - runs-on: ubuntu-latest - outputs: - SHA: ${{ steps.vars.outputs.SHA }} - context-ref: ${{ steps.vars.outputs.context-ref }} - owner: ${{ steps.vars.outputs.owner }} - steps: - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - CONTEXT_REF="${{ inputs.context-ref }}" - OWNER="${{ inputs.PR-number }}" - else - SHA="${{ github.sha }}" - CONTEXT_REF="${{ github.sha }}" - OWNER="${{ github.ref_name }}" - OWNER="${OWNER/./-}" - fi - - echo SHA=${SHA} >> $GITHUB_OUTPUT - echo context-ref=${CONTEXT_REF} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - # Pre-build the ginkgo binary so that we don't have to build it for all - # runners. - build-ginkgo-binary: - runs-on: ubuntu-latest - name: Build Ginkgo E2E - timeout-minutes: 30 - steps: - # If any of these steps are modified, please update the copy of these - # steps further down under the 'setup-and-test' jobs. - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.SHA || github.sha }} - persist-credentials: false - - # Load Ginkgo build from GitHub - - name: Load ginkgo E2E from GH cache - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-e2e-${{ hashFiles('**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - wait-for-images: - needs: setup-vars - runs-on: ubuntu-latest - name: Wait for images - timeout-minutes: 30 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ needs.setup-vars.outputs.SHA }} &> /dev/null; do sleep 45s; done - done - - generate-matrix: - name: Generate Job Matrix from YAMLs - needs: setup-vars - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/ginkgo" - destination_directory="/tmp/generated/ginkgo" - mkdir -p "${destination_directory}" - for file in "${work_dir}"/main*.yaml; do - if [[ -f "$file" ]]; then - filename=$(basename "$file") - new_filename="${filename%.yaml}.json" - - yq -o=json "${file}" | jq . > "${destination_directory}/${new_filename}" - fi - done - - - name: Generate Matrix - id: set-matrix - run: | - if ${{ github.event_name == 'schedule' }}; then - k8s_versions_to_run='main-scheduled.json' - else - k8s_versions_to_run='main-prs.json' - fi - - # Generate a Matrix from all k8s versions defined in '${k8s_versions_to_run}' - # combined with 'main-focus.yaml'. - # Use 'main-k8s-versions.yaml' to - # retrieve which kernel versions should be used for which k8s version. - - dir="/tmp/generated/ginkgo" - cd ${dir} - jq --argjson prs "$(jq '.["k8s-version"]' ${k8s_versions_to_run})" \ - --argfile focus main-focus.json \ - '.include |= map(select(.["k8s-version"] as $k | $prs[] | select($k == .))) + $focus.include | - . + {"k8s-version": $prs} | - .focus = $focus.focus | .exclude = $focus.exclude' \ - main-k8s-versions.json> /tmp/merged.json - echo "Generated matrix:" - cat /tmp/merged.json - echo "matrix=$(jq -c . < /tmp/merged.json)" >> $GITHUB_OUTPUT - - setup-and-test: - needs: [setup-vars, build-ginkgo-binary, generate-matrix, wait-for-images] - runs-on: - group: ginkgo-runners - timeout-minutes: 35 - name: "E2E Test (${{ matrix.k8s-version }}, ${{matrix.focus}})" - env: - job_name: "E2E Test (${{ matrix.k8s-version }}, ${{matrix.focus}})" - strategy: - fail-fast: false - max-parallel: 60 - matrix: ${{ fromJSON(needs.generate-matrix.outputs.matrix) }} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.SHA || github.sha }} - persist-credentials: false - - - name: Install cilium-cli - shell: bash - run: | - cid=$(docker create quay.io/cilium/cilium-cli-ci:latest ls) - docker cp $cid:/usr/local/bin/cilium ./cilium-cli - docker rm $cid - - - name: Install helm - shell: bash - run: | - # renovate: datasource=github-releases depName=helm/helm - HELM_VERSION=v3.13.1 - wget "https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" - tar -xf "helm-${HELM_VERSION}-linux-amd64.tar.gz" - mv ./linux-amd64/helm ./helm - - - name: Provision LVH VMs - id: provision-vh-vms - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - test-name: datapath-conformance - install-dependencies: true - image-version: ${{ matrix.kernel }} - host-mount: ./ - cpu: 4 - mem: 12G - cmd: | - git config --global --add safe.directory /host - mv /host/helm /usr/bin - mv /host/cilium-cli /usr/bin - - - name: Provision kind - timeout-minutes: 5 - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - if [[ "${{ matrix.kernel }}" == bpf-next-* ]]; then - ./contrib/scripts/kind.sh "" 2 "" "${{ matrix.kube-image }}" "none" "${{ matrix.ip-family }}" - kubectl label node kind-worker2 cilium.io/ci-node=kind-worker2 - # Avoid re-labeling this node by setting "node-role.kubernetes.io/controlplane" - kubectl label node kind-worker2 node-role.kubernetes.io/controlplane= - else - ./contrib/scripts/kind.sh "" 1 "" "${{ matrix.kube-image }}" "iptables" "${{ matrix.ip-family }}" - fi - # Some tests using demo-customcalls.yaml are mounting this directoy - mkdir -p /home/vagrant/go/src/github.com/cilium - ln -s /host /home/vagrant/go/src/github.com/cilium/cilium - git config --add safe.directory /cilium - - # Load Ginkgo build from GitHub - - name: Load ${{ matrix.name }} Ginkgo build from GitHub - uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-e2e-${{ hashFiles('**/*.go') }} - - # Re-build the tests if it was a cache miss. - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Copy Ginkgo binary - shell: bash - run: | - cd test/ - tar -xf /tmp/.ginkgo-build/test.tgz - - - name: Run tests - id: run-tests - timeout-minutes: 40 - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/test/ - kubectl get ns -A -o wide - kubectl get pods -A -o wide - export K8S_NODES=2 - export NETNEXT=0 - if [[ "${{ matrix.kernel }}" == bpf-next-* ]]; then - export KERNEL=net-next - export NETNEXT=1 - export KUBEPROXY=0 - export K8S_NODES=3 - export NO_CILIUM_ON_NODES=kind-worker2 - elif [[ "${{ matrix.kernel }}" == 4.19-* ]]; then - export KERNEL=419 - elif [[ "${{ matrix.kernel }}" == 5.4-* ]]; then - export KERNEL=54 - fi - export K8S_VERSION=${{ matrix.k8s-version }} - export CNI_INTEGRATION=kind - export INTEGRATION_TESTS=true - # GitHub actions do not support IPv6 connectivity to outside - # world. - export CILIUM_NO_IPV6_OUTSIDE=true - echo "/root/go/bin/ginkgo \ - --focus=\"${{ matrix.cliFocus }}\" \ - --skip=\"${{ matrix.cliSkip }}\" \ - --seed=1679952881 \ - -v -- \ - -cilium.provision=false \ - -cilium.image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - -cilium.tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.operator-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - -cilium.operator-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.hubble-relay-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - -cilium.hubble-relay-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.kubeconfig=/root/.kube/config \ - -cilium.provision-k8s=false \ - -cilium.operator-suffix=-ci" - - ./test.test \ - --ginkgo.focus="${{ matrix.cliFocus }}" \ - --ginkgo.skip="${{ matrix.cliSkip }}" \ - --ginkgo.seed=1679952881 \ - --ginkgo.v -- \ - -cilium.provision=false \ - -cilium.image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - -cilium.tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.operator-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - -cilium.operator-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.hubble-relay-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - -cilium.hubble-relay-tag=${{ needs.setup-vars.outputs.SHA }} \ - -cilium.kubeconfig=/root/.kube/config \ - -cilium.provision-k8s=false \ - -cilium.operator-suffix=-ci - - - name: Fetch artifacts - if: ${{ !success() && steps.provision-vh-vms.outcome == 'success' }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host - kubectl get pods --all-namespaces -o wide - tar -zcf "test_results-${{ env.job_name }}.tar.gz" /host/test/test_results - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: | - cilium-sysdump-*.zip - bugtool-*.tar.gz - test_results-*.tar.gz - retention-days: 5 - - - name: Fetch JUnits - if: ${{ always() && steps.run-tests.outcome != 'skipped' }} - shell: bash - run: | - mkdir -p cilium-junits - cd test/ - junit_filename="${{ env.job_name }}.xml" - for filename in *.xml; do cp "${filename}" "../cilium-junits/${junit_filename}"; done; - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Determine final commit status - id: commit-status - shell: bash - run: | - # When one of the prerequisites of setup-and-test fails, then that - # job gets skipped. Let's convert the status so that we correctly - # report that as a proper failure. - if [ "${{ needs.setup-and-test.result }}" != "skipped" ]; then - echo "status=${{ needs.setup-and-test.result }}" >> $GITHUB_OUTPUT - else - echo "status=failure" >> $GITHUB_OUTPUT - fi - - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ steps.commit-status.outputs.status }} diff --git a/.github/workflows/conformance-gke.yaml b/.github/workflows/conformance-gke.yaml deleted file mode 100644 index 34b9a801e6732..0000000000000 --- a/.github/workflows/conformance-gke.yaml +++ /dev/null @@ -1,310 +0,0 @@ -name: Conformance GKE (ci-gke) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 2/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - clusterName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - USE_GKE_GCLOUD_AUTH_PLUGIN: True - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - generate-matrix: - name: Generate Matrix - runs-on: ubuntu-latest - outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Convert YAML to JSON - run: | - work_dir=".github/actions/gke" - destination_directory="/tmp/generated/gke" - mkdir -p "${destination_directory}" - - ls ${work_dir}/*.yaml | grep -v 'schema\|classic' | while read file;do - filename=$(basename "$file") - new_filename="${filename%.yaml}.json" - yq -o=json "${file}" | jq . > "${destination_directory}/${new_filename}" - done - - # Merge 2 files into one - jq -s "add" ${destination_directory}/*.json > "${destination_directory}/gke.json" - - - name: Generate Matrix - id: set-matrix - run: | - cd /tmp/generated/gke - - if [ "${{ github.event_name }}" == "schedule" ];then - cp gke.json /tmp/matrix.json - else - jq '{ "k8s": [ .k8s[] | select(.default) ], "config": .config}' gke.json > /tmp/matrix.json - fi - - echo "Generated matrix:" - cat /tmp/matrix.json - echo "matrix=$(jq -c . < /tmp/matrix.json)" >> $GITHUB_OUTPUT - - installation-and-connectivity: - name: Installation and Connectivity Test - needs: generate-matrix - runs-on: ubuntu-latest - timeout-minutes: 75 - env: - job_name: "Installation and Connectivity Test" - strategy: - fail-fast: false - matrix: ${{fromJson(needs.generate-matrix.outputs.matrix)}} - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - OWNER="${{ inputs.PR-number }}" - else - OWNER="${{ github.ref_name }}" - OWNER="${OWNER/./-}" - fi - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --cluster-name=${{ env.clusterName }}-${{ matrix.config.index }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=agentNotReadyTaintKey=ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready \ - --helm-set loadBalancer.l7.backend=envoy \ - --helm-set tls.secretsBackend=k8s \ - --wait=false" - - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target google.com --external-cidr 8.0.0.0/8 --external-ip 8.8.8.8 --external-other-ip 8.8.4.4" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo hubble_enable_defaults=${HUBBLE_ENABLE_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Set up gcloud credentials - id: 'auth' - uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0 - with: - credentials_json: '${{ secrets.GCP_PR_SA_KEY }}' - - - name: Set up gcloud CLI - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - with: - project_id: ${{ secrets.GCP_PROJECT_ID }} - version: "405.0.0" - - - name: Install gke-gcloud-auth-plugin - run: | - gcloud components install gke-gcloud-auth-plugin - - - name: Display gcloud CLI info - run: | - gcloud info - - - name: Create GKE cluster - run: | - gcloud container clusters create ${{ env.clusterName }}-${{ matrix.config.index }} \ - --labels "usage=${{ github.repository_owner }}-${{ github.event.repository.name }},owner=${{ steps.vars.outputs.owner }}" \ - --zone ${{ matrix.k8s.zone }} \ - --cluster-version ${{ matrix.k8s.version }} \ - --enable-ip-alias \ - --create-subnetwork="range=/26" \ - --cluster-ipv4-cidr="/21" \ - --services-ipv4-cidr="/24" \ - --image-type COS_CONTAINERD \ - --num-nodes 2 \ - --machine-type e2-custom-2-4096 \ - --disk-type pd-standard \ - --disk-size 20GB \ - --node-taints ignore-taint.cluster-autoscaler.kubernetes.io/cilium-agent-not-ready=true:NoExecute \ - --preemptible - - - name: Get cluster credentials - run: | - gcloud container clusters get-credentials ${{ env.clusterName }}-${{ matrix.config.index }} --zone ${{ matrix.k8s.zone }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Create custom IPsec secret - if: ${{ matrix.config.type == 'ipsec' || matrix.config.type == 'tunnel-ipsec' }} - run: | - kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="15 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} ${{ matrix.config.cilium-install-opts }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait --wait-duration=10m - kubectl get pods -n kube-system - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test (${{ matrix.k8s.version }}, ${{ matrix.config.index }}, ${{ matrix.config.type }}) - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.k8s.*, ', ') }}, ${{ join(matrix.config.*, ', ') }}).xml" \ - --junit-property github_job_step="Run connectivity test (${{ matrix.k8s.version }}, ${{ matrix.config.index }}, ${{ matrix.config.type }})" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final-${{ matrix.k8s.version }}-${{ matrix.config.index }}-${{ matrix.config.type }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Clean up GKE - if: ${{ always() }} - run: | - while [ "$(gcloud container operations list --zone ${{ matrix.k8s.zone }} --filter="status=RUNNING AND targetLink~${{ env.clusterName }}-${{ matrix.config.index }}" --format="value(name)")" ];do - echo "cluster has an ongoing operation, waiting for all operations to finish"; sleep 15 - done - gcloud container clusters delete ${{ env.clusterName }}-${{ matrix.config.index }} --zone ${{ matrix.k8s.zone }} --quiet --async - shell: bash {0} # Disable default fail-fast behavior so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: installation-and-connectivity - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.installation-and-connectivity.result }} diff --git a/.github/workflows/conformance-ingress.yaml b/.github/workflows/conformance-ingress.yaml deleted file mode 100644 index f4a1dba11a408..0000000000000 --- a/.github/workflows/conformance-ingress.yaml +++ /dev/null @@ -1,302 +0,0 @@ -name: Conformance Ingress (ci-ingress) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - kind_version: v0.20.0 - kind_config: .github/kind-config.yaml - metallb_version: 0.12.1 - timeout: 5m - -jobs: - commit-status-start: - if: ${{ github.event_name != 'push' }} - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - ingress-conformance-test: - name: Ingress Conformance Test - runs-on: ubuntu-latest - timeout-minutes: 120 - strategy: - fail-fast: false - matrix: - include: - - name: Without XDP - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: disabled - loadbalancer-mode: dedicated - default-ingress-controller: false - - name: With XDP - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: native - loadbalancer-mode: dedicated - default-ingress-controller: false - - name: With Shared LB - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: disabled - loadbalancer-mode: shared - default-ingress-controller: false - - name: With Default Ingress Controller - kube-proxy-replacement: true - enable-node-port: false - bpf-lb-acceleration: disabled - loadbalancer-mode: dedicated - default-ingress-controller: true - - name: Without KPR - kube-proxy-replacement: false - enable-node-port: true - bpf-lb-acceleration: disabled - loadbalancer-mode: dedicated - default-ingress-controller: false - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set image tag - id: vars - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=debug.verbose=envoy \ - --helm-set kubeProxyReplacement=${{ matrix.kube-proxy-replacement }} \ - --helm-set nodePort.enabled=${{ matrix.enable-node-port }} \ - --helm-set=ingressController.enabled=true \ - --helm-set=ingressController.loadbalancerMode=${{ matrix.loadbalancer-mode }} \ - --helm-set=ingressController.default=${{ matrix.default-ingress-controller }} \ - --helm-set=extraConfig.bpf-lb-acceleration=${{ matrix.bpf-lb-acceleration }}" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Create kind cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - version: ${{ env.kind_version }} - config: ${{ env.kind_config }} - - - name: Checkout ingress-controller-conformance - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - # Use the forked repo with retry mechanism - # Please refer to https://github.com/kubernetes-sigs/ingress-controller-conformance/pull/101 for more details. - repository: cilium/ingress-controller-conformance - path: ingress-controller-conformance - ref: 010bbae21b71d9785660b87908dfe2ba8cd2f25d - persist-credentials: false - - - name: Install Ingress conformance test tool - timeout-minutes: 10 - run: | - cd ingress-controller-conformance - make build - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium to be ready - run: | - cilium status --wait - kubectl get pods -n kube-system - - - name: Install metallb for LB service - timeout-minutes: 10 - run: | - KIND_NET_CIDR=$(docker network inspect kind -f '{{(index .IPAM.Config 0).Subnet}}') - METALLB_IP_START=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.200@") - METALLB_IP_END=$(echo ${KIND_NET_CIDR} | sed "s@0.0/16@255.250@") - METALLB_IP_RANGE="${METALLB_IP_START}-${METALLB_IP_END}" - - cat << EOF > metallb_values.yaml - configInline: - address-pools: - - name: default - protocol: layer2 - addresses: - - ${METALLB_IP_RANGE} - psp: - create: false - EOF - - helm install --namespace metallb-system \ - --create-namespace \ - --repo https://metallb.github.io/metallb metallb metallb \ - --version ${{ env.metallb_version }} \ - --values metallb_values.yaml \ - --wait - - - name: Create sample workload - timeout-minutes: 5 - run: | - kubectl apply -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml - if [ ${{ matrix.default-ingress-controller }} = "true" ]; then - # remove ingressClassName line from basic-ingress.yaml - sed -i '/ingressClassName/d' examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl apply -n default -f examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }} - fi - - kubectl apply -n default -f examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl wait -n default --for=condition=Ready --all pod --timeout=${{ env.timeout }} - - - name: Run Sanity check (external) - timeout-minutes: 5 - run: | - lb=$(kubectl get ingress basic-ingress -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --retry-all-errors --retry-delay 5 --fail -- http://"$lb" - - # By now the service should be up, no need to do the manual retries for the second request - curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail -- http://"$lb"/details/1 - - - name: Run Sanity check (internal to NodePort) - if: ${{ matrix.kube-proxy-replacement == 'true' }} - timeout-minutes: 5 - run: | - if [ ${{ matrix.loadbalancer-mode }} = "dedicated" ]; then - node_port=$(kubectl get svc cilium-ingress-basic-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}') - else - node_port=$(kubectl get -n kube-system svc cilium-ingress -o jsonpath='{.spec.ports[?(@.port==80)].nodePort}') - fi - docker exec -i chart-testing-control-plane curl -s -v --connect-timeout 5 --max-time 20 --retry 3 --fail http://localhost:$node_port/details/1 - - - name: Cleanup Sanity check - timeout-minutes: 5 - run: | - # Clean up after sanity check to avoid any conflicts with the conformance test - kubectl delete -n default -f examples/kubernetes/servicemesh/basic-ingress.yaml - kubectl delete -n default -f https://raw.githubusercontent.com/istio/istio/release-1.11/samples/bookinfo/platform/kube/bookinfo.yaml - kubectl wait ingress basic-ingress --for=delete - - - name: Run Ingress conformance test - timeout-minutes: 30 - run: | - cd ingress-controller-conformance - ./ingress-controller-conformance -ingress-class cilium -wait-time-for-ingress-status 60s -wait-time-for-ready 60s - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip - retention-days: 5 - - commit-status-final: - if: ${{ always() && github.event_name != 'push' }} - name: Commit Status Final - needs: ingress-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.ingress-conformance-test.result }} diff --git a/.github/workflows/conformance-ipsec-e2e.yaml b/.github/workflows/conformance-ipsec-e2e.yaml deleted file mode 100644 index 5624ef6431d1d..0000000000000 --- a/.github/workflows/conformance-ipsec-e2e.yaml +++ /dev/null @@ -1,356 +0,0 @@ -name: Conformance IPsec E2E (ci-ipsec-e2e) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 5/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - name: 'Setup & Test' - runs-on: ubuntu-latest-4cores-16gb - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - include: - # See https://github.com/cilium/cilium/issues/20606 for configuration table - - - name: '1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '4.19-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - encryption: 'ipsec' - encryption-node: 'false' - - - name: '2' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - - - name: '3' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - encryption: 'ipsec' - encryption-node: 'false' - endpoint-routes: 'true' - - - name: '4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20231128.012937' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'geneve' - encryption: 'ipsec' - encryption-node: 'false' - endpoint-routes: 'true' - - timeout-minutes: 60 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set up job variables - id: vars - run: | - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --wait \ - --helm-set=hubble.eventBufferCapacity=65535 \ - --helm-set=authentication.mutual.spire.enabled=true \ - --helm-set=authentication.mutual.spire.install.enabled=true \ - --nodes-without-cilium=kind-worker3 \ - --helm-set-string=kubeProxyReplacement=${{ matrix.kpr }}" - TUNNEL="--helm-set-string=tunnelProtocol=${{ matrix.tunnel }}" - if [ "${{ matrix.tunnel }}" == "disabled" ]; then - TUNNEL="--helm-set-string=routingMode=native --helm-set-string=autoDirectNodeRoutes=true --helm-set-string=ipv4NativeRoutingCIDR=10.244.0.0/16" - TUNNEL="${TUNNEL} --helm-set-string=ipv6NativeRoutingCIDR=fd00:10:244::/56" - fi - LB_MODE="" - if [ "${{ matrix.lb-mode }}" != "" ]; then - LB_MODE="--helm-set-string=loadBalancer.mode=${{ matrix.lb-mode }}" - fi - ENDPOINT_ROUTES="" - if [ "${{ matrix.endpoint-routes }}" == "true" ]; then - ENDPOINT_ROUTES="--helm-set-string=endpointRoutes.enabled=true" - fi - IPV6="" - if [ "${{ matrix.ipv6 }}" != "false" ]; then - IPV6="--helm-set=ipv6.enabled=true" - fi - MASQ="" - if [ "${{ matrix.kpr }}" == "true" ]; then - # BPF-masq requires KPR=true. - MASQ="--helm-set=bpf.masquerade=true" - if [ "${{ matrix.host-fw }}" == "true" ]; then - # BPF IPv6 masquerade not currently supported with host firewall - GH-26074 - MASQ="${MASQ} --helm-set=enableIPv6Masquerade=false" - fi - fi - EGRESS_GATEWAY="" - if [ "${{ matrix.egress-gateway }}" == "true" ]; then - EGRESS_GATEWAY="--helm-set=egressGateway.enabled=true --helm-set=debug.enabled=true" - fi - LB_ACCELERATION="" - if [ "${{ matrix.lb-acceleration }}" != "" ]; then - LB_ACCELERATION="--helm-set=loadBalancer.acceleration=${{ matrix.lb-acceleration }}" - fi - - ENCRYPT="" - if [ "${{ matrix.encryption }}" != "" ]; then - ENCRYPT="--helm-set=encryption.enabled=true --helm-set=encryption.type=${{ matrix.encryption }}" - if [ "${{ matrix.encryption-node }}" != "" ]; then - ENCRYPT+=" --helm-set=encryption.nodeEncryption=${{ matrix.encryption-node }}" - fi - fi - - HOST_FW="" - if [ "${{ matrix.host-fw }}" == "true" ]; then - HOST_FW="--helm-set=hostFirewall.enabled=true" - fi - - CONFIG="${CILIUM_INSTALL_DEFAULTS} ${TUNNEL} ${LB_MODE} ${ENDPOINT_ROUTES} ${IPV6} ${MASQ} ${EGRESS_GATEWAY} ${ENCRYPT} ${HOST_FW} ${LB_ACCELERATION}" - echo "cilium_install_defaults=${CONFIG}" >> $GITHUB_OUTPUT - - JUNIT="" - for NAME in ${{ matrix.kube-proxy }} ${{ matrix.tunnel }} ${{ matrix.lb-mode }} ${{ matrix.encryption }} ${{ matrix.endpoint-routes }}; do - if [[ "${NAME}" != "" ]] && [[ "${NAME}" != "disabled" ]] && [[ "${NAME}" != "none" ]]; then - if [[ "${JUNIT}" != "" ]]; then - JUNIT+="-" - fi - if [[ "${NAME}" == "true" ]];then - NAME="endpoint-routes" - fi - JUNIT+="${NAME}" - fi - done - echo junit_type="${JUNIT}" >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Cilium CLI-cli - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - binary-name: cilium-cli - binary-dir: ./ - - - name: Provision LVH VMs - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - test-name: e2e-conformance - image-version: ${{ matrix.kernel }} - host-mount: ./ - cpu: 4 - install-dependencies: 'true' - cmd: | - git config --global --add safe.directory /host - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Run tests (${{ join(matrix.*, ', ') }}) - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - ./contrib/scripts/kind.sh --xdp "" 3 "" "" "${{ matrix.kube-proxy }}" "dual" - - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - kubectl create -n kube-system secret generic cilium-ipsec-keys \ - --from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - export CILIUM_CLI_MODE=helm - ./cilium-cli install ${{ steps.vars.outputs.cilium_install_defaults }} - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-server --timeout=300s - kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-agent --timeout=300s - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium-dbg status - - mkdir -p cilium-junits - - ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \ - --flush-ct - - - name: Rotate IPsec Key & Test (${{ join(matrix.*, ', ') }}) - uses: cilium/cilium/.github/actions/conn-disrupt-test@main - with: - job-name: conformance-ipsec-e2e-key-rotation-${{ matrix.name }} - operation-cmd: | - cd /host/ - - KEYID=\$(kubectl get secret -n kube-system cilium-ipsec-keys -o go-template --template={{.data.keys}} | base64 -d | cut -c 1) - if [[ \$KEYID -ge 15 ]]; then KEYID=0; fi - data=\$(echo "{\"stringData\":{\"keys\":\"\$(((\$KEYID+1))) "rfc4106\(gcm\(aes\)\)" 59f4d92cccede1b1abc920104ca61cd552782e12 128\"}}") - kubectl patch secret -n kube-system cilium-ipsec-keys -p="\$data" -v=1 - - # Wait until key rotation starts - while true; do - keys_in_use=\$(kubectl -n kube-system exec daemonset/cilium -- cilium-dbg encrypt status | awk '/Keys in use/ {print \$NF}') - if [[ \$keys_in_use == 2 ]]; then - break - fi - echo "Waiting until key rotation starts (seeing \$keys_in_use keys)" - sleep 30s - done - - # Wait until key rotation completes - # By default the key rotation cleanup delay is 5min, let's sleep 4min before actively polling - sleep \$((4*60)) - while true; do - keys_in_use=\$(kubectl -n kube-system exec daemonset/cilium -- cilium-dbg encrypt status | awk '/Keys in use/ {print \$NF}') - if [[ \$keys_in_use == 1 ]]; then - break - fi - echo "Waiting until key rotation completes (seeing \$keys_in_use keys)" - sleep 30s - done - - - name: Fetch artifacts - if: ${{ !success() }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host - kubectl get pods --all-namespaces -o wide - ./cilium-cli status - mkdir -p cilium-sysdumps - ./cilium-cli sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - # To debug https://github.com/cilium/cilium/issues/26062 - head -n -0 /proc/buddyinfo /proc/pagetypeinfo - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 2 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/conformance-k8s-kind-network-policies.yaml b/.github/workflows/conformance-k8s-kind-network-policies.yaml deleted file mode 100644 index 381cfb3c0d6d0..0000000000000 --- a/.github/workflows/conformance-k8s-kind-network-policies.yaml +++ /dev/null @@ -1,244 +0,0 @@ -name: Conformance K8s Upstream Network - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - paths-ignore: - - 'Documentation/**' - - 'test/**' - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - kind_version: v0.20.0 - cluster_name: cilium-testing - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - # renovate: datasource=docker depName=quay.io/cilium/kindest-node - k8s_version: v1.29.0-rc.1 - -jobs: - kubernetes-e2e-net-conformance: - name: Installation and Conformance Test - runs-on: ubuntu-latest - timeout-minutes: 45 - strategy: - fail-fast: false - matrix: - # TODO add "dual" and "ipv6", "ipv6" fails to install cilium - ipFamily: ["ipv4"] - env: - IP_FAMILY: ${{ matrix.ipFamily }} - - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Enable ipv4 and ipv6 forwarding - run: | - sudo sysctl -w net.ipv6.conf.all.forwarding=1 - sudo sysctl -w net.ipv4.ip_forward=1 - - - name: Set up environment (download Kubernetes dependencies) - run: | - TMP_DIR=$(mktemp -d) - # Test binaries - curl -L https://dl.k8s.io/${{ env.k8s_version }}/kubernetes-test-linux-amd64.tar.gz -o ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz - tar xvzf ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz \ - --directory ${TMP_DIR} \ - --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test - # kubectl - curl -L https://dl.k8s.io/${{ env.k8s_version }}/bin/linux/amd64/kubectl -o ${TMP_DIR}/kubectl - # kind - curl -Lo ${TMP_DIR}/kind https://kind.sigs.k8s.io/dl/${{ env.kind_version }}/kind-linux-amd64 - # Install - sudo cp ${TMP_DIR}/ginkgo /usr/local/bin/ginkgo - sudo cp ${TMP_DIR}/e2e.test /usr/local/bin/e2e.test - sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl - sudo cp ${TMP_DIR}/kind /usr/local/bin/kind - sudo chmod +x /usr/local/bin/* - sudo rm -rf ${TMP_DIR} - - - name: Create multi node cluster - run: | - cat <> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install --wait ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Run Kubernetes sig-network conformance test - run: | - # output_dir - mkdir -p _artifacts - - # get kubeconfig to pass to the e2e binary - kind get kubeconfig --name ${{ env.cluster_name }} > _artifacts/kubeconfig.conf - - # Kubernetes e2e tests use ginkgo and tags to select the tests that should run based on two regex, focus and skip: - # Focus tests: - # \[Conformance\]|\[sig-network\]: Conformance tests are defined by the project to guarantee a consistent behaviour and some mandatory features on all clusters - # sig-network tests are defined by sig-networkto guarantee a consistent behaviour on all the the k8s network implementations - # Skipped tests: - # Disruptive|Serial : require to run in serial and perform disruptive operations on clusters (reboots, ...) - # Federation|PerformanceDNS : unrelated sig-network tests - # Feature : skip features that are not GA, however, some of them should be enabled, per example [Feature:ProxyTerminatingEndpoints] - # DualStack : only with dualstack clusters - # KubeProxy|kube-proxy : kube-proxy specifics - # LoadBalancer|GCE|ExternalIP : require a cloud provider, some of them are GCE specifics - # Aggregator : Flaky, https://github.com/cilium/cilium/issues/24622. - # same.port.number.but.different.protocols|HostPort|should.serve.endpoints.on.same.port.and.different.protocols : #9207 - # rejected : Kubernetes expect Services without endpoints associated to REJECT the connection to notify the client, Cilium silently drops the packet - # externalTrafficPolicy : needs investigation - - # Run tests - export KUBERNETES_CONFORMANCE_TEST='y' - export E2E_REPORT_DIR=${PWD}/_artifacts - /usr/local/bin/ginkgo --nodes=5 \ - --focus="(HostPort.*\[Conformance\].*|Services.*\[Conformance\].*|Net.*ol.*)" \ - --skip="(Legacy|HostPort.validates.that.there.is.no.conflict.between.pods.with.same.hostPort.but.different.hostIP.and.protocol|should.allow.egress.access.to.server.in.CIDR.block|should.enforce.except.clause.while.egress.access.to.server.in.CIDR.block|should.ensure.an.IP.overlapping.both.IPBlock.CIDR.and.IPBlock.Except.is.allowed|Feature:SCTPConnectivity|should.serve.endpoints.on.same.port.and.different.protocols)" \ - /usr/local/bin/e2e.test \ - -- \ - --kubeconfig=${PWD}/_artifacts/kubeconfig.conf \ - --provider=local \ - --dump-logs-on-failure=true \ - --report-dir=${E2E_REPORT_DIR} \ - --disable-log-dump=true - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final - /usr/local/bin/kind export logs --name ${{ env.cluster_name }} --loglevel=debug ./_artifacts/logs - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload cluster logs - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: kind-logs - path: ./_artifacts/logs - retention-days: 5 - - - name: Upload Kubernetes e2e Junit Reports - if: ${{ success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3 - with: - name: kubernetes-e2e-junit - path: './_artifacts/*.xml' - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "_artifacts" diff --git a/.github/workflows/conformance-k8s-kind.yaml b/.github/workflows/conformance-k8s-kind.yaml deleted file mode 100644 index 0622c5b47ca92..0000000000000 --- a/.github/workflows/conformance-k8s-kind.yaml +++ /dev/null @@ -1,245 +0,0 @@ -name: Conformance K8s Kind - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - paths-ignore: - - 'Documentation/**' - - 'test/**' - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - kind_version: v0.20.0 - cluster_name: cilium-testing - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - # renovate: datasource=docker depName=quay.io/cilium/kindest-node - k8s_version: v1.29.0-rc.1 - -jobs: - kubernetes-e2e: - name: Installation and Conformance Test - runs-on: ubuntu-latest - timeout-minutes: 45 - strategy: - fail-fast: false - matrix: - # TODO add "dual" and "ipv6", "ipv6" fails to install cilium - ipFamily: ["ipv4"] - env: - IP_FAMILY: ${{ matrix.ipFamily }} - - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Enable ipv4 and ipv6 forwarding - run: | - sudo sysctl -w net.ipv6.conf.all.forwarding=1 - sudo sysctl -w net.ipv4.ip_forward=1 - - - name: Set up environment (download Kubernetes dependencies) - run: | - TMP_DIR=$(mktemp -d) - # Test binaries - curl -L https://dl.k8s.io/${{ env.k8s_version }}/kubernetes-test-linux-amd64.tar.gz -o ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz - tar xvzf ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz \ - --directory ${TMP_DIR} \ - --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test - # kubectl - curl -L https://dl.k8s.io/${{ env.k8s_version }}/bin/linux/amd64/kubectl -o ${TMP_DIR}/kubectl - # kind - curl -Lo ${TMP_DIR}/kind https://kind.sigs.k8s.io/dl/${{ env.kind_version }}/kind-linux-amd64 - # Install - sudo cp ${TMP_DIR}/ginkgo /usr/local/bin/ginkgo - sudo cp ${TMP_DIR}/e2e.test /usr/local/bin/e2e.test - sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl - sudo cp ${TMP_DIR}/kind /usr/local/bin/kind - sudo chmod +x /usr/local/bin/* - sudo rm -rf ${TMP_DIR} - - - name: Create multi node cluster - run: | - cat <> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install --wait ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Run Kubernetes sig-network conformance test - run: | - # output_dir - mkdir -p _artifacts - - # get kubeconfig to pass to the e2e binary - kind get kubeconfig --name ${{ env.cluster_name }} > _artifacts/kubeconfig.conf - - # Kubernetes e2e tests use ginkgo and tags to select the tests that should run based on two regex, focus and skip: - # Focus tests: - # \[Conformance\]|\[sig-network\]: Conformance tests are defined by the project to guarantee a consistent behaviour and some mandatory features on all clusters - # sig-network tests are defined by sig-networkto guarantee a consistent behaviour on all the the k8s network implementations - # Skipped tests: - # Disruptive|Serial : require to run in serial and perform disruptive operations on clusters (reboots, ...) - # Federation|PerformanceDNS : unrelated sig-network tests - # Feature : skip features that are not GA, however, some of them should be enabled, per example [Feature:ProxyTerminatingEndpoints] - # DualStack : only with dualstack clusters - # KubeProxy|kube-proxy : kube-proxy specifics - # LoadBalancer|GCE|ExternalIP : require a cloud provider, some of them are GCE specifics - # Netpol|NetworkPolicy : network policies, demand significant resources and use to be slow, better to run in a different job - # Aggregator : Flaky, https://github.com/cilium/cilium/issues/24622. - # same.port.number.but.different.protocols|HostPort|should.serve.endpoints.on.same.port.and.different.protocols : #9207 - # rejected : Kubernetes expect Services without endpoints associated to REJECT the connection to notify the client, Cilium silently drops the packet - # externalTrafficPolicy : needs investigation - - # Run tests - export KUBERNETES_CONFORMANCE_TEST='y' - export E2E_REPORT_DIR=${PWD}/_artifacts - /usr/local/bin/ginkgo --nodes=25 \ - --focus="\[Conformance\]|\[sig-network\]" \ - --skip="Feature|Federation|PerformanceDNS|DualStack|Disruptive|Serial|KubeProxy|kube-proxy|ExternalIP|LoadBalancer|GCE|Netpol|NetworkPolicy|Aggregator|rejected|externalTrafficPolicy|HostPort|same.port.number.but.different.protocols|should.serve.endpoints.on.same.port.and.different.protocols" \ - /usr/local/bin/e2e.test \ - -- \ - --kubeconfig=${PWD}/_artifacts/kubeconfig.conf \ - --provider=local \ - --dump-logs-on-failure=true \ - --report-dir=${E2E_REPORT_DIR} \ - --disable-log-dump=true - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final - /usr/local/bin/kind export logs --name ${{ env.cluster_name }} --loglevel=debug ./_artifacts/logs - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload cluster logs - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: kind-logs - path: ./_artifacts/logs - retention-days: 5 - - - name: Upload Kubernetes e2e Junit Reports [junit] - if: ${{ success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3 - with: - name: kubernetes-e2e-junit - path: './_artifacts/*.xml' - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "_artifacts" - diff --git a/.github/workflows/conformance-k8s-network-policies.yaml b/.github/workflows/conformance-k8s-network-policies.yaml deleted file mode 100644 index a4774eafed31a..0000000000000 --- a/.github/workflows/conformance-k8s-network-policies.yaml +++ /dev/null @@ -1,149 +0,0 @@ -name: Cyclonus Network Policy Test - -on: - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - -permissions: read-all - -env: - cilium_cli_ci_version: - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - KIND_VERSION: v0.20.0 - KIND_CONFIG: .github/kind-config.yaml - CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check.yaml - TIMEOUT: 2m - LOG_TIME: 30m - -jobs: - preflight-clusterrole: - name: Preflight Clusterrole Check - runs-on: ubuntu-latest - steps: - - name: Checout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Check pre-flight clusterrole - run: | - cd install/kubernetes/cilium/templates - echo "Checking for differences between preflight and agent clusterrole" - diff \ - -I '^[ ]\{2\}name: cilium.*' \ - -I '^Keep file in sync with.*' \ - -I '^ {{- with .Values.annotations }}$' \ - -I '^ {{- with .Values.preflight.annotations }}$' \ - -I '{{- if.*' \ - cilium-agent/clusterrole.yaml \ - cilium-preflight/clusterrole.yaml - - cyclonus-test: - name: Cyclonus Test - runs-on: ubuntu-latest - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - name: Precheck generated connectivity manifest files - run: | - make -C examples/kubernetes/connectivity-check fmt - make -C examples/kubernetes/connectivity-check all - test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) - - - name: Set image tag - id: vars - run: | - if [ "${{ github.event.pull_request.head.sha }}" != "" ]; then - echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT - else - echo tag=${{ github.sha }} >> $GITHUB_OUTPUT - fi - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator-generic-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done - - - name: Create kind cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - version: ${{ env.KIND_VERSION }} - config: ${{ env.KIND_CONFIG }} - - - name: Install cilium chart - id: install-cilium - run: | - helm install cilium ./install/kubernetes/cilium \ - --wait \ - --namespace kube-system \ - --set nodeinit.enabled=true \ - --set kubeProxyReplacement=partial \ - --set socketLB.enabled=false \ - --set externalIPs.enabled=true \ - --set nodePort.enabled=true \ - --set hostPort.enabled=true \ - --set bpf.masquerade=false \ - --set ipam.mode=kubernetes \ - --set image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - --set image.tag=${{ steps.vars.outputs.tag }} \ - --set image.pullPolicy=IfNotPresent \ - --set image.useDigest=false \ - --set operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - --set operator.image.suffix=-ci \ - --set operator.image.tag=${{ steps.vars.outputs.tag }} \ - --set operator.image.pullPolicy=IfNotPresent \ - --set operator.image.useDigest=false \ - --set prometheus.enabled=true \ - --set operator.prometheus.enabled=true \ - --set hubble.enabled=true \ - --set hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}" - - kubectl wait -n kube-system --for=condition=Ready -l app.kubernetes.io/part-of=cilium pod --timeout=5m - kubectl rollout -n kube-system status deploy/coredns --timeout=5m - - # To make sure that cilium CRD is available (default timeout is 5m) - # https://github.com/cilium/cilium/blob/main/operator/crd.go#L34 - kubectl wait --for condition=Established crd/ciliumnetworkpolicies.cilium.io --timeout=5m - - - name: Run cyclonus network policy test - working-directory: test/k8s/manifests/netpol-cyclonus - run: ./test-cyclonus.sh - - - name: Install Cilium CLI - if: ${{ failure() }} - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Report cluster failure status and capture cilium-sysdump - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - - - name: Upload cilium-sysdump - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - if: ${{ failure() }} - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip diff --git a/.github/workflows/conformance-kind-proxy-daemonset.yaml b/.github/workflows/conformance-kind-proxy-daemonset.yaml deleted file mode 100644 index 95b0686cd41d5..0000000000000 --- a/.github/workflows/conformance-kind-proxy-daemonset.yaml +++ /dev/null @@ -1,150 +0,0 @@ -name: Conformance Kind Envoy DaemonSet - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - paths-ignore: - - 'Documentation/**' - - 'test/**' - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - - 'test/**' - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - kind_version: v0.20.0 - kind_config: .github/kind-config.yaml - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - -jobs: - installation-and-connectivity: - name: "Installation and Connectivity Test" - runs-on: ubuntu-latest - timeout-minutes: 45 - env: - job_name: "Installation and Connectivity Test" - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.event.pull_request.head.sha }} - - - name: Set up job variables - id: vars - run: | - # Note: On Kind, we install Cilium with HostPort (portmap CNI chaining) enabled, - # to ensure coverage of that feature in cilium connectivity test - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=hubble.relay.enabled=true - --helm-set=cni.chainingMode=portmap \ - --helm-set-string=kubeProxyReplacement=strict \ - --helm-set=loadBalancer.l7.backend=envoy \ - --helm-set=tls.secretsBackend=k8s \ - --helm-set=envoy.enabled=true \ - --wait=false" - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure" - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Create kind cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - version: ${{ env.kind_version }} - config: ${{ env.kind_config }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }}.xml" --junit-property github_job_step="Run connectivity test" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-final - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" diff --git a/.github/workflows/conformance-multi-pool.yaml b/.github/workflows/conformance-multi-pool.yaml deleted file mode 100644 index 9c47902463bc5..0000000000000 --- a/.github/workflows/conformance-multi-pool.yaml +++ /dev/null @@ -1,267 +0,0 @@ -name: Conformance Multi Pool IPAM (ci-multi-pool) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - kind_version: v0.20.0 - kind_config: .github/kind-config.yaml - timeout: 5m - -jobs: - commit-status-start: - if: ${{ github.event_name != 'push' }} - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - multi-pool-ipam-conformance-test: - name: Install and Connectivity Test - runs-on: ubuntu-latest - timeout-minutes: 120 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - CONTEXT_REF="${{ inputs.context-ref }}" - OWNER="${{ inputs.PR-number }}" - else - CONTEXT_REF="${{ github.sha }}" - OWNER="${{ github.ref_name }}" - OWNER="${OWNER/./-}" - fi - - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - echo context-ref=${CONTEXT_REF} >> $GITHUB_OUTPUT - echo owner=${OWNER} >> $GITHUB_OUTPUT - - # Notes: - # - Multi-pool IPAM only supports direct routing, thus we disable - # tunnel mode and enable auto-direct-routes. - # - Multi-pool IPAM only supports endpoint routes, thus we disable - # the local-node-route. - # - helm/kind-action does not support BPF host routing, so we fall - # back on legacy host routing (#23283) - # - iptables-based masquerading does not support multiple non-masquerade - # CIDRs. Thus, we enable BPF masquerading where we can add multiple - # non-masquerade CIDRs. - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set=hubble.relay.enabled=true \ - --helm-set=autoDirectNodeRoutes=true \ - --helm-set=routingMode=native \ - --helm-set=endpointRoutes.enabled=true \ - --helm-set=kubeProxyReplacement=strict \ - --helm-set=bpf.masquerade=true \ - --helm-set=bpf.hostLegacyRouting=true\ - --helm-set=ipMasqAgent.enabled=true \ - --helm-set=ipMasqAgent.config.nonMasqueradeCIDRs='{10.0.0.0/8,192.168.0.0/16}' \ - --helm-set=ipam.mode=multi-pool \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.cidrs='{10.10.0.0/16}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.default.ipv4.maskSize=24 \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.cidrs='{10.20.0.0/16}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.cilium-test-pool.ipv4.maskSize=24 \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.cidrs='{192.168.0.0/20}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.client-pool.ipv4.maskSize=27 \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.cidrs='{192.168.16.0/20}' \ - --helm-set=ipam.operator.autoCreateCiliumPodIPPools.echo-other-node-pool.ipv4.maskSize=27" - - CONNECTIVITY_TEST_DEFAULTS="--flow-validation=disabled --hubble=false --collect-sysdump-on-failure \ - --external-target bing.com --external-cidr 8.0.0.0/8 --external-ip 8.8.4.4 --external-other-ip 8.8.8.8 \ - --namespace-annotations='{\"ipam.cilium.io/ip-pool\":\"cilium-test-pool\"}' \ - --deployment-pod-annotations='{ \ - \"client\":{\"ipam.cilium.io/ip-pool\":\"client-pool\"}, \ - \"echo-other-node\":{\"ipam.cilium.io/ip-pool\":\"echo-other-node-pool\"} \ - }'" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Create kind cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - version: ${{ env.kind_version }} - config: ${{ env.kind_config }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium - id: install-cilium - run: | - CILIUM_CLI_MODE=helm cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test - run: | - cilium connectivity test ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} - 1.xml" --junit-property github_job_step="Run connectivity test" - - - name: Collect Pod and Pool IPs - id: ips - run: | - for pod in client client2 echo-same-node echo-other-node; do - kubectl get pod -n cilium-test -l "name=${pod}" -o jsonpath="${pod}={.items[*].status.podIP}{'\n'}" >> "$GITHUB_OUTPUT" - done - - for pool in cilium-test-pool client-pool echo-other-node-pool; do - kubectl get ciliumpodippool "${pool}" -o "jsonpath=${pool}={.spec.ipv4.cidrs[0]}{'\n'}" >> "$GITHUB_OUTPUT" - done - - - name: Validate Pod IPs - shell: python - run: | - from ipaddress import ip_address, ip_network - - assert ip_address("${{ steps.ips.outputs.client }}") in ip_network("${{ steps.ips.outputs.client-pool }}"), "client pool mismatch" - assert ip_address("${{ steps.ips.outputs.client2 }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "client2 pool mismatch" - assert ip_address("${{ steps.ips.outputs.echo-same-node }}") in ip_network("${{ steps.ips.outputs.cilium-test-pool }}"), "echo-same-node pool mismatch" - assert ip_address("${{ steps.ips.outputs.echo-other-node }}") in ip_network("${{ steps.ips.outputs.echo-other-node-pool }}"), "echo-other-node pool mismatch" - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} - run: | - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() && github.event_name != 'push' }} - name: Commit Status Final - needs: multi-pool-ipam-conformance-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.multi-pool-ipam-conformance-test.result }} diff --git a/.github/workflows/conformance-runtime.yaml b/.github/workflows/conformance-runtime.yaml deleted file mode 100644 index 7097cc0b8c87e..0000000000000 --- a/.github/workflows/conformance-runtime.yaml +++ /dev/null @@ -1,452 +0,0 @@ -name: Conformance Runtime (ci-runtime) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - -jobs: - commit-status-start: - if: ${{ github.event_name != 'push' }} - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - # Pre-build the ginkgo binary so that we don't have to build it for all - # runners. - build-ginkgo-binary: - runs-on: ubuntu-latest - name: Build Ginkgo Runtime - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - echo "sha=${SHA}" >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - # If any of these steps are modified, please update the copy of these - # steps further down under the 'setup-and-test' jobs. - - # Load Ginkgo build from GitHub - - name: Load ginkgo runtime from GH cache - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-runtime-${{ hashFiles('**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Waiting for images - timeout-minutes: 20 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - setup-and-test: - needs: build-ginkgo-binary - runs-on: - group: ginkgo-runners - name: "Runtime Test (${{matrix.focus}})" - env: - # GitHub doesn't provide a way to retrieve the name of a job, so we have - # to repeated it here. - job_name: "Runtime Test (${{matrix.focus}})" - strategy: - fail-fast: false - max-parallel: 3 - matrix: - focus: - - "agent" - - "datapath" - - "privileged" - - include: - ### - # RuntimeAgentChaos Cilium agent Checking for file-descriptor leak - # RuntimeAgentChaos Cilium agent removing leftover Cilium interfaces - # RuntimeAgentChaos Connectivity over restarts Checking that during restart no traffic is dropped using Egress + Ingress Traffic - # RuntimeAgentChaos Endpoint Endpoint recovery on restart - # RuntimeAgentChaos KVStore Delete event on KVStore with CIDR identities - # RuntimeAgentChaos KVStore Validate that delete events on KVStore do not release in use identities - # RuntimeAgentFQDNPolicies Can update L7 DNS policy rules - # RuntimeAgentFQDNPolicies CNAME follow - # RuntimeAgentFQDNPolicies DNS proxy policy works if Cilium stops - # RuntimeAgentFQDNPolicies Enforces L3 policy even when no IPs are inserted - # RuntimeAgentFQDNPolicies Enforces ToFQDNs policy - # RuntimeAgentFQDNPolicies Implements matchPattern: * - # RuntimeAgentFQDNPolicies Interaction with other ToCIDR rules - # RuntimeAgentFQDNPolicies Roundrobin DNS - # RuntimeAgentFQDNPolicies toFQDNs populates toCIDRSet (data from proxy) L3-dependent L7/HTTP with toFQDN updates proxy policy - # RuntimeAgentFQDNPolicies toFQDNs populates toCIDRSet (data from proxy) Policy addition after DNS lookup - # RuntimeAgentFQDNPolicies Validate dns-proxy monitor information - # RuntimeAgentFQDNPolicies With verbose policy logs Validates DNSSEC responses - # RuntimeAgentKVStoreTest KVStore tests Consul KVStore - # RuntimeAgentKVStoreTest KVStore tests Etcd KVStore - # RuntimeAgentPolicies Init Policy Default Drop Test tests egress - # RuntimeAgentPolicies Init Policy Default Drop Test tests ingress - # RuntimeAgentPolicies Init Policy Default Drop Test With PolicyAuditMode tests egress - # RuntimeAgentPolicies Init Policy Default Drop Test With PolicyAuditMode tests ingress - # RuntimeAgentPolicies Init Policy Test Init Egress Policy Test - # RuntimeAgentPolicies Init Policy Test Init Ingress Policy Test - # RuntimeAgentPolicies TestsEgressToHost Tests Egress To Host - # RuntimeAgentPolicies TestsEgressToHost Tests egress with CIDR+L4 policy - # RuntimeAgentPolicies TestsEgressToHost Tests egress with CIDR+L4 policy to external https service - # RuntimeAgentPolicies TestsEgressToHost Tests egress with CIDR+L7 policy - # RuntimeAgentPolicies Tests Endpoint Connectivity Functions After Daemon Configuration Is Updated - # RuntimeAgentPolicies Tests EntityNone as a deny-all - # RuntimeSSHTests Should fail when context times out - - focus: "agent" - cliFocus: "RuntimeAgent|RuntimeSSHTests" - - ### - # RuntimeDatapathConntrackInVethModeTest Conntrack-related configuration options for endpoints - # RuntimeDatapathMonitorTest With Sample Containers checks container ids match monitor output - # RuntimeDatapathMonitorTest With Sample Containers cilium-dbg monitor check --from - # RuntimeDatapathMonitorTest With Sample Containers cilium-dbg monitor check --related-to - # RuntimeDatapathMonitorTest With Sample Containers cilium-dbg monitor check --to - # RuntimeDatapathMonitorTest With Sample Containers Cilium monitor event types - # RuntimeDatapathMonitorTest With Sample Containers delivers the same information to multiple monitors - - focus: "datapath" - cliFocus: "RuntimeDatapathConntrackInVethModeTest|RuntimeDatapathMonitorTest" - - ### - # RuntimeDatapathPrivilegedUnitTests Run Tests - - focus: "privileged" - cliFocus: "RuntimeDatapathPrivilegedUnitTests" - - timeout-minutes: 40 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - echo "sha=${SHA}" >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Provision LVH VMs - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - test-name: runtime-tests - install-dependencies: true - # renovate: datasource=docker depName=quay.io/lvh-images/kind - image-version: "bpf-next-20231128.012937@sha256:bd63100dd6b77cce9566a093ce7bad4c3936edbf40862cc491f30de875bc68e7" - host-mount: ./ - cpu: 4 - mem: 12G - - # Load Ginkgo build from GitHub - - name: Load ${{ matrix.name }} Ginkgo build from GitHub - uses: actions/cache/restore@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-runtime-${{ hashFiles('**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Build Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Copy Ginkgo binary - shell: bash - run: | - cd test/ - tar -xf /tmp/.ginkgo-build/test.tgz - - - name: Setup runtime - timeout-minutes: 10 - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - mkdir -p /root/go/src/github.com/cilium/ - ln -s /host /root/go/src/github.com/cilium/cilium - mkdir -p /home/root/go/src/github.com/cilium/ - ln -s /host /home/root/go/src/github.com/cilium/cilium - cp -r /host/test/provision /tmp - git config --global --add safe.directory /host - export CILIUM_IMAGE=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.sha }} - export CILIUM_DOCKER_PLUGIN_IMAGE=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/docker-plugin-ci:${{ steps.vars.outputs.sha }} - export PROVISION_EXTERNAL_WORKLOAD=false - export VMUSER=root - echo '127.0.0.1 localhost' >> /etc/hosts - echo '::1 localhost' >> /etc/hosts - /tmp/provision/runtime_install.sh - service docker restart - - - name: Runtime tests - if: ${{ matrix.focus == 'agent' || matrix.focus == 'datapath' }} - timeout-minutes: 20 - shell: bash - run: | - cat > test/cilium-ssh-config.txt << EOF - Host runtime - HostName 127.0.0.1 - User root - Port 2222 - UserKnownHostsFile /dev/null - StrictHostKeyChecking no - PasswordAuthentication no - LogLevel FATAL - EOF - cd test - export INTEGRATION_TESTS=true - ./test.test \ - --ginkgo.focus="${{ matrix.cliFocus }}" \ - --ginkgo.skip="${{ matrix.cliSkip }}" \ - --ginkgo.seed=1679952881 \ - --ginkgo.v -- \ - -cilium.provision=false \ - -cilium.image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ - -cilium.tag=${{ steps.vars.outputs.sha }} \ - -cilium.operator-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ - -cilium.operator-tag=${{ steps.vars.outputs.sha }} \ - -cilium.hubble-relay-image=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci \ - -cilium.hubble-relay-tag=${{ steps.vars.outputs.sha }} \ - -cilium.operator-suffix=-ci \ - -cilium.SSHConfig="cat ./cilium-ssh-config.txt" - - - name: Runtime privileged tests - if: ${{ matrix.focus == 'privileged' }} - timeout-minutes: 30 - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host - # The LVH image might ship with an arbitrary Go toolchain version, - # install the same Go toolchain version as current HEAD. - go install golang.org/dl/go${{ env.go-version }}@latest - go${{ env.go-version }} download - # Install go-junit-report to generate junit files for the - # privileged tests. - go${{ env.go-version}} install github.com/jstemmer/go-junit-report/v2@7fde4641acef5b92f397a8baf8309d1a45d608cc - export GOTEST_FORMATTER="/root/go/bin/go-junit-report -set-exit-code -iocopy -out test/runtime.xml" - make tests-privileged NO_COLOR=1 GO=go${{ env.go-version }} - - - name: Debug failure on VM - # Only debug the failure on the LVH that have Cilium running as a service, - # which is 'agent' and 'datapath' focus. - if: ${{ !success() && (matrix.focus == 'agent' || matrix.focus == 'datapath') }} - timeout-minutes: 10 - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - journalctl --no-pager -xeu cilium.service - systemctl status cilium.service - - - name: Fetch artifacts - if: ${{ !success() && (matrix.focus == 'agent' || matrix.focus == 'datapath') }} - shell: bash - run: | - tar -zcf test_results-${{ join(matrix.*, '-') }}.tar.gz ./test/test_results - - - name: Upload artifacts - if: ${{ !success() && (matrix.focus == 'agent' || matrix.focus == 'datapath') }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: | - test_results-*.tar.gz - retention-days: 5 - - - name: Fetch JUnits - if: ${{ always() }} - shell: bash - run: | - mkdir -p cilium-junits - cd test/ - # junit_filename needs to be the same as the Job Name presented on the - # GH web UI - In the Summary page of a workflow run, left column - # "Jobs" - so that we can map the junit file to the right job - step - # pair on datastudio. - junit_filename="${{ env.job_name }}.xml" - for filename in *.xml; do cp "${filename}" "../cilium-junits/${junit_filename}"; done; - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 5 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() && github.event_name != 'push' }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/container-scan.yaml b/.github/workflows/container-scan.yaml deleted file mode 100644 index 6e9d3784397c4..0000000000000 --- a/.github/workflows/container-scan.yaml +++ /dev/null @@ -1,53 +0,0 @@ -name: Container Vulnerability Scan -on: - schedule: - - cron: "0 4 * * *" - workflow_dispatch: - -permissions: read-all - -jobs: - container-scan: - if: github.repository_owner == 'cilium' - name: Scan Containers - runs-on: ubuntu-22.04 - strategy: - matrix: - image: [ - {name: cilium, dockerfile: ./images/cilium/Dockerfile}, - {name: clustermesh-apiserver, dockerfile: ./images/clustermesh-apiserver/Dockerfile}, - {name: docker-plugin, dockerfile: ./images/cilium-docker-plugin/Dockerfile}, - {name: hubble-relay, dockerfile: ./images/hubble-relay/Dockerfile}, - {name: kvstoremesh, dockerfile: ./images/kvstoremesh/Dockerfile}, - {name: operator-generic, dockerfile: ./images/operator/Dockerfile}, - ] - branch: [v1.12, v1.13, v1.14] - exclude: - - image: {name: kvstoremesh, dockerfile: ./images/kvstoremesh/Dockerfile} - branch: v1.12 - - image: {name: kvstoremesh, dockerfile: ./images/kvstoremesh/Dockerfile} - branch: v1.13 - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ matrix.branch }} - persist-credentials: false - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - - name: Build local container - uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 - with: - context: . - tags: ${{ matrix.image.name }}:${{ matrix.branch }} - push: false - load: true - file: ${{ matrix.image.dockerfile }} - build-args: | - OPERATOR_VARIANT=${{ matrix.image.name }} - - name: Scan image - uses: anchore/scan-action@896d5f410043987c8fe18f60d91bf199e436840c # v3.3.8 - with: - image: ${{ matrix.image.name }}:${{ matrix.branch }} - output-format: table - severity-cutoff: critical diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml deleted file mode 100644 index 8fdf54cb7f156..0000000000000 --- a/.github/workflows/documentation.yaml +++ /dev/null @@ -1,67 +0,0 @@ -name: Documentation Updates - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - merge_group: - types: [checks_requested] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-22.04 - outputs: - docs-tree: ${{ steps.docs-tree.outputs.src }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Check code changes - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: docs-tree - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - src: - - .github/workflows/documentation.yaml - - 'Documentation/**' - - 'bugtool/cmd/**' - - 'cilium/cmd/**' - - 'cilium-health/cmd/**' - - 'daemon/cmd/**' - - 'hubble-relay/cmd/**' - - 'install/kubernetes/**' - - 'operator/cmd/**' - - README.rst - - # Runs only if code under Documentation or */cmd/ is changed as the docs - # should be unaffected otherwise. - build-html: - needs: check_changes - if: ${{ needs.check_changes.outputs.docs-tree == 'true' }} - name: Validate & Build HTML - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Build HTML - uses: docker://quay.io/cilium/docs-builder:d88a9684e1be32661e9e56d6b7e1e1350db7a1b1@sha256:f051371b2a910088a43dc5bd4289c9ca3a8754a8afb15f60f86f385660c1fd09 - with: - entrypoint: ./Documentation/check-build.sh - args: html diff --git a/.github/workflows/external-contribution-labeler.yaml b/.github/workflows/external-contribution-labeler.yaml deleted file mode 100644 index 57adb6a2bd9df..0000000000000 --- a/.github/workflows/external-contribution-labeler.yaml +++ /dev/null @@ -1,76 +0,0 @@ -name: PR from External Contribution Detector - -on: - pull_request_target: - types: - - opened - - reopened - -jobs: - labeler: - if: | - ( - (github.event.pull_request.author_association != 'OWNER') && - (github.event.pull_request.author_association != 'COLLABORATOR') && - (github.event.pull_request.author_association != 'MEMBER') - ) - runs-on: ubuntu-latest - name: Label PRs - permissions: - pull-requests: write - steps: - # Detect if the secret 'CHECK_TEAM_ORG_APP_ID' is set. If it's not set, don't - # bother running this GH workflow. - - name: Check if CHECK_TEAM_ORG_APP_ID is set in github secrets - id: check_secret - run: | - echo "is_CHECK_TEAM_ORG_APP_ID_set: ${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}" - echo is_CHECK_TEAM_ORG_APP_ID_set="${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}" >> $GITHUB_OUTPUT - - - name: Get token - # Get a token with the read:org permissions so that the GH action - # can read the team membership for a user. We need to do this over a - # GH app because GH actions don't have support for these type of - # permissions. - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }} - id: get_token - uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1 - with: - APP_PEM: ${{ secrets.CHECK_TEAM_ORG_PEM }} - APP_ID: ${{ secrets.CHECK_TEAM_ORG_APP_ID }} - - - name: Check author association - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }} - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - id: author_association - # https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#check-organization-membership-for-a-user - with: - github-token: ${{ steps.get_token.outputs.app_token }} - script: | - try { - const result = await github.rest.orgs.checkMembershipForUser({ - org: "${{ github.repository_owner }}", - username: "${{github.event.pull_request.user.login}}", - }) - return result.status == 204; - } catch { - return false; - } - - - name: Print author association - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }} - run: | - echo author_association_from_event=${{ github.event.pull_request.author_association }} - echo author_association_from_api=${{ steps.author_association.outputs.result }} - - - name: Set label - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' && steps.author_association.outputs.result != 'true' }} - with: - script: | - github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ["kind/community-contribution"] - }) diff --git a/.github/workflows/integration-test.yaml b/.github/workflows/integration-test.yaml deleted file mode 100644 index 9dac65069fa66..0000000000000 --- a/.github/workflows/integration-test.yaml +++ /dev/null @@ -1,128 +0,0 @@ -name: Integration Tests (ci-integration) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -jobs: - commit-status-start: - if: ${{ github.event_name != 'push' }} - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - integration-test: - name: Integration Test - runs-on: ubuntu-20.04 - timeout-minutes: 45 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set image tag - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - - name: Prepare environment - timeout-minutes: 15 - run: | - ./.travis/prepare.sh - - - name: Run integration tests - timeout-minutes: 60 - run: | - export PATH=/usr/local/clang/bin:$PATH - export V=0 - export DOCKER_BUILD_FLAGS=--quiet - ./.travis/build.sh - - commit-status-final: - if: ${{ always() && github.event_name != 'push' }} - name: Commit Status Final - needs: integration-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.integration-test.result }} diff --git a/.github/workflows/lint-bpf-checks.yaml b/.github/workflows/lint-bpf-checks.yaml deleted file mode 100644 index a4edb6441c8bc..0000000000000 --- a/.github/workflows/lint-bpf-checks.yaml +++ /dev/null @@ -1,170 +0,0 @@ -name: BPF Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - merge_group: - types: [checks_requested] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-latest - outputs: - bpf-tree: ${{ steps.changes.outputs.bpf-tree }} - coccinelle: ${{ steps.changes.outputs.coccinelle }} - bpf-tests-runner: ${{ steps.changes.outputs.bpf-tests-runner }} - workflow-description: ${{ steps.changes.outputs.workflow-description }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Check code changes - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: changes - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - bpf-tree: - - 'bpf/**' - coccinelle: - - 'contrib/coccinelle/**' - bpf-tests-runner: - - 'test/bpf_tests/**' - - 'pkg/bpf/**' - workflow-description: - - '.github/workflows/lint-bpf-checks.yaml' - - checkpatch: - name: Check Patch - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - fetch-depth: 0 - - name: Run checkpatch.pl - run: | - make -C bpf checkpatch || (echo "Run 'make -C bpf checkpatch' locally to investigate reports"; exit 1) - - # Runs only if code under bpf/ or contrib/coccinnelle/ is changed. - coccicheck: - needs: check_changes - if: ${{ needs.check_changes.outputs.bpf-tree == 'true' || needs.check_changes.outputs.coccinelle == 'true' || needs.check_changes.outputs.workflow-description == 'true' }} - name: Run coccicheck - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Run coccicheck - uses: docker://cilium/coccicheck:2.4@sha256:24abe3fbb8e829fa41a68a3b76cb4df84fd5a87a7d1d6254c1c1fe5effb5bd1b - with: - entrypoint: ./contrib/coccinelle/check-cocci.sh - # Note: Setting COCCINELLE_HOME can be removed, here and in the - # messages in the .cocci files, next time we upgrade coccinelle. - # The issue was fixed, after v1.1.1 that we're using, in - # https://gitlab.inria.fr/coccinelle/coccinelle/-/commit/540888ff426e. - env: - COCCINELLE_HOME: /usr/local/lib/coccinelle - - set_clang_dir: - name: Set clang directory - runs-on: ubuntu-latest - outputs: - clang_dir: ${{ steps.set_dir.outputs.clang_dir }} - steps: - - name: Set directory - id: set_dir - run: echo "clang_dir=$HOME/.clang" >> $GITHUB_OUTPUT - - # Runs only if code under bpf/ is changed. - build_all: - needs: [check_changes, set_clang_dir] - if: ${{ needs.check_changes.outputs.bpf-tree == 'true' || needs.check_changes.outputs.workflow-description == 'true' }} - name: Build Datapath - runs-on: ubuntu-22.04 - steps: - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - name: Cache LLVM and Clang - id: cache-llvm - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - path: ${{ needs.set_clang_dir.outputs.clang_dir }} - key: llvm-10.0 - - name: Install LLVM and Clang prerequisites - run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends libtinfo5 - - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@be40c5af3a4adc3e4a03199995ab73aa37536712 # v1.9.0 - with: - version: "10.0" - directory: ${{ needs.set_clang_dir.outputs.clang_dir }} - cached: ${{ steps.cache-llvm.outputs.cache-hit }} - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - fetch-depth: 0 - - name: Build all BPF datapath permutations - env: - V: 0 - run: | - make --quiet -C bpf build_all || (echo "Run 'make -C bpf build_all' locally to investigate build breakages"; exit 1) - - bpf_tests: - needs: [check_changes, set_clang_dir] - if: ${{ needs.check_changes.outputs.bpf-tree == 'true' || needs.check_changes.outputs.bpf-tests-runner == 'true' || needs.check_changes.outputs.workflow-description == 'true' }} - name: BPF unit/integration Tests - runs-on: ubuntu-22.04 - steps: - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - name: Cache LLVM and Clang - id: cache-llvm - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - path: ${{ needs.set_clang_dir.outputs.clang_dir }} - key: llvm-10.0 - - name: Install LLVM and Clang prerequisites - run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends libtinfo5 - - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@be40c5af3a4adc3e4a03199995ab73aa37536712 # v1.9.0 - with: - version: "10.0" - directory: ${{ needs.set_clang_dir.outputs.clang_dir }} - cached: ${{ steps.cache-llvm.outputs.cache-hit }} - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - fetch-depth: 0 - - name: Run BPF tests - run: | - make -C test run_bpf_tests || (echo "Run 'make -C test run_bpf_tests' locally to investigate failures"; exit 1) diff --git a/.github/workflows/lint-build-commits.yaml b/.github/workflows/lint-build-commits.yaml deleted file mode 100644 index 7af7f71a57540..0000000000000 --- a/.github/workflows/lint-build-commits.yaml +++ /dev/null @@ -1,116 +0,0 @@ -name: Build Commits - -# Any change in triggers needs to be reflected in the concurrency group. -on: [pull_request] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -jobs: - build_commits: - name: Check if build works for every commit - runs-on: ubuntu-22.04 - timeout-minutes: 90 - steps: - - name: Configure git - run: | - git config --global user.name "GitHub Actions" - git config --global user.email "github-actions@users.noreply.github.com" - - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - - name: Set clang directory - id: set_clang_dir - run: echo "clang_dir=$HOME/.clang" >> $GITHUB_OUTPUT - - - name: Cache LLVM and Clang - id: cache-llvm - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - with: - path: ${{ steps.set_clang_dir.outputs.clang_dir }} - key: llvm-10.0 - - - name: Install LLVM and Clang prerequisites - run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends libtinfo5 - - - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@be40c5af3a4adc3e4a03199995ab73aa37536712 # v1.9.0 - with: - version: "10.0" - directory: ${{ steps.set_clang_dir.outputs.clang_dir }} - cached: ${{ steps.cache-llvm.outputs.cache-hit }} - - - name: Install ginkgo - run: | - go install github.com/onsi/ginkgo/ginkgo@cc0216944b25a88d3259699a029d4e601fb8a222 # v1.12.1 - - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - - - name: Check if build works for every commit - run: | - PR_COMMITS_API_JSON=$(curl \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - ${{ github.event.pull_request.commits_url }}) - PR_FIRST_SHA=$(echo "$PR_COMMITS_API_JSON" | jq -r ".[0].sha") - PR_PARENT_SHA=$(git rev-parse "${PR_FIRST_SHA}^") - git rebase --exec "make build -j $(nproc)" $PR_PARENT_SHA - - - name: Check bpf code changes - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: bpf-tree - with: - filters: | - src: - - 'bpf/**' - - # Runs only if code under bpf/ is changed. - - name: Check if datapath build works for every commit - if: steps.bpf-tree.outputs.src == 'true' - run: | - PR_COMMITS_API_JSON=$(curl \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - ${{ github.event.pull_request.commits_url }}) - PR_FIRST_SHA=$(echo "$PR_COMMITS_API_JSON" | jq -r ".[0].sha") - PR_PARENT_SHA=$(git rev-parse "${PR_FIRST_SHA}^") - git rebase --exec "make -C bpf build_all -j $(nproc)" $PR_PARENT_SHA - - - name: Check test code changes - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: test-tree - with: - filters: | - src: - - 'pkg/**' - - 'test/**' - - # Runs only if code under test/ is changed. - - name: Check if ginkgo test suite build works for every commit - if: steps.test-tree.outputs.src == 'true' - run: | - PR_COMMITS_API_JSON=$(curl \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - ${{ github.event.pull_request.commits_url }}) - PR_FIRST_SHA=$(echo "$PR_COMMITS_API_JSON" | jq -r ".[0].sha") - PR_PARENT_SHA=$(git rev-parse "${PR_FIRST_SHA}^") - git rebase --exec "make -C test build -j $(nproc) && make -C test build-darwin" $PR_PARENT_SHA - - - name: Failed commit during the build - if: ${{ failure() }} - run: git --no-pager log --format=%B -n 1 diff --git a/.github/workflows/lint-codeowners.yaml b/.github/workflows/lint-codeowners.yaml deleted file mode 100644 index 2b43a49822693..0000000000000 --- a/.github/workflows/lint-codeowners.yaml +++ /dev/null @@ -1,129 +0,0 @@ -name: CODEOWNERS Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - branches: - - main - - ft/main/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number }} - cancel-in-progress: true - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-latest - outputs: - added-files: ${{ steps.changes.outputs.added-files }} - deleted-files: ${{ steps.changes.outputs.deleted-files }} - codeowners-changed: ${{ steps.changes.outputs.codeowners-changed }} - steps: - - name: Check code changes - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: changes - with: - filters: | - added-files: - - added: '**' - deleted-files: - - deleted: '**' - codeowners-changed: - - 'CODEOWNERS' - - '.github/workflows/lint-codeowners.yaml' - - codeowners: - needs: check_changes - if: ${{ needs.check_changes.outputs.codeowners-changed == 'true' || needs.check_changes.outputs.added-files == 'true' || needs.check_changes.outputs.deleted-files == 'true' }} - name: Check CODEOWNERS consistency - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # Hard-code the path instead of using ${{ github.repository }} - # to make sure it works for forked repo as well. - path: src/github.com/cilium/cilium - - - name: Check if all files have attributed code owners - if: ${{ needs.check_changes.outputs.codeowners-changed == 'true' || needs.check_changes.outputs.added-files == 'true' }} - run: | - # CODEOWNERS patterns follows nearly the same syntax as a .gitignore. - # To check if all files are covered by patterns other than the - # catch-all '*', we turn the file into a .gitignore and list - # unmatched files. - cd src/github.com/cilium/cilium - # Copy all patterns from CODEOWNERS, but skipping the comments - # ('^[^#]') and the catch-all '*' rule (the only one with a single - # character, we skip it with '^.[^ ]'). - awk '/^[^#][^ ]/ {print $1}' CODEOWNERS > .gitignore - # Reinitialize the repo and list all files NOT covered by .gitignore. - rm -rf .git - git init -q - if [[ -n "$(git ls-files --others -X .gitignore)" ]]; then - echo '::error title=missing_code_owners::Following files have no owners in CODEOWNERS:' - git ls-files --others -X .gitignore - exit 1 - fi - - - name: Check if CODEOWNERS has stale entries - if: ${{ needs.check_changes.outputs.codeowners-changed == 'true' || needs.check_changes.outputs.deleted-files == 'true' }} - run: | - cd src/github.com/cilium/cilium - EXIT_STATUS=0 - # We go through the patterns in CODEOWNERS, and for each of them we - # search for corresponding files in the repo. - while read l; do - case "${l}" in - /*) - # The pattern should match from the root of the repo, - # we'll use 'ls'. For now, just append pattern to $LIST. - LIST+=" ${l#/}" - ;; - *) - # No leading slash: may not be at the root of the repo, - # search with 'find'. Print pattern if no file found. - if [[ -z $(find . -path "*${l}*" -print -quit) ]]; then - echo "${l}" - EXIT_STATUS=1 - fi - ;; - esac - done <<< $(awk '/^[^#][^ ]/ {print $1}' CODEOWNERS) - # Just one final call to 'ls' with all /* patterns found. Catch - # patterns with no corresponding files/directories from stderr. - STALE_PATTERNS="$(ls -- ${LIST} 2>&1 >/dev/null | sed "s|.*'\(.*\)':.*|/\1|")" - if [[ -n "${STALE_PATTERNS}" ]]; then - echo "${STALE_PATTERNS}" | sed 's/ /\n/g' - EXIT_STATUS=1 - fi - if [[ ${EXIT_STATUS} -ne 0 ]]; then - echo '::error title=stale_patterns::The patterns above should be removed from CODEOWNERS.' - exit ${EXIT_STATUS} - fi - - - name: Check if all teams in CODEOWNERS rules are documented in the file - if: ${{ needs.check_changes.outputs.codeowners-changed == 'true' }} - run: | - EXIT_STATUS=0 - # List all teams used in CODEOWNERS rules: discard comments and empty - # lines, discard lines with no team assigned (with no space in it), - # then discard the first field (pattern to match) for the remaining - # rules, split the list of teams by replacing spaces with line - # breaks, sort the results. Then grep for each team name among - # CODEOWNERS's comments. - cd src/github.com/cilium/cilium - for team in $(sed -e '/^\(#\|$\)/d' -e '/^[^ ]*$/d' -e 's/^[^ #]\+ //' -e 's/ /\n/g' CODEOWNERS | sort -u); do - if ! grep -q "^#[^@]*${team}" CODEOWNERS; then - echo "${team}"; - EXIT_STATUS=1 - fi; - done - if [[ ${EXIT_STATUS} -ne 0 ]]; then - echo '::error title=missing_team::The teams above are not documented in CODEOWNERS. Typo?' - exit ${EXIT_STATUS} - fi diff --git a/.github/workflows/lint-codeql.yaml b/.github/workflows/lint-codeql.yaml deleted file mode 100644 index 16136db36193f..0000000000000 --- a/.github/workflows/lint-codeql.yaml +++ /dev/null @@ -1,55 +0,0 @@ -name: CodeQL - -on: - pull_request: - branches: - - main - - ft/main/** - push: - branches: - - main - - ft/main/** - schedule: - - cron: "45 6 * * 3" - -permissions: read-all - -jobs: - check_changes: - name: Deduce required tests from code changes - if: ${{ github.event_name == 'pull_request' }} - runs-on: ubuntu-latest - outputs: - go-changes: ${{ steps.go-changes.outputs.src }} - steps: - - name: Check code changes - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: go-changes - with: - filters: | - src: - - .github/workflows/lint-codeql.yaml - - '**/*.go' - - 'go.mod' - - 'go.sum' - - analyze: - needs: check_changes - if: ${{ needs.check_changes.outputs.go-changes == 'true' || github.event_name != 'pull_request' }} - name: Analyze - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - name: Checkout repo - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - fetch-depth: 1 - - name: Initialize CodeQL - uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 - with: - languages: go - debug: true - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 diff --git a/.github/workflows/lint-go.yaml b/.github/workflows/lint-go.yaml deleted file mode 100644 index 96132869dcb92..0000000000000 --- a/.github/workflows/lint-go.yaml +++ /dev/null @@ -1,129 +0,0 @@ -name: Go Related Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - # Add this workflow to be triggered by merge queue events - merge_group: - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -jobs: - go-mod: - name: Check Go Modules - runs-on: ubuntu-latest - steps: - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Check module vendoring - run: | - go mod tidy - go mod vendor - test -z "$(git status --porcelain)" || (echo "please run 'go mod tidy && go mod vendor', and submit your changes"; exit 1) - - golangci: - name: Lint Source Code - runs-on: ubuntu-latest - steps: - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Run golangci-lint - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 - with: - # renovate: datasource=docker depName=golangci/golangci-lint - version: v1.55.2 - skip-cache: true - args: "--out-${NO_FUTURE}format colored-line-number --verbose --modules-download-mode=vendor" - - precheck: - runs-on: ubuntu-latest - name: Precheck - steps: - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - name: Go code prechecks - run: | - cd src/github.com/cilium/cilium - make precheck - - generate-api: - runs-on: ubuntu-latest - name: Generate API - steps: - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - name: Check api generated files - run: | - cd src/github.com/cilium/cilium - contrib/scripts/check-api-code-gen.sh - - generate-k8s-api: - runs-on: ubuntu-latest - name: Generate k8s API - steps: - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - name: Install protobuf dependencies - env: - PROTOBUF_VERSION: 3.12.4 - run: | - curl -Lo protoc-$PROTOBUF_VERSION-linux-x86_64.zip https://github.com/protocolbuffers/protobuf/releases/download/v$PROTOBUF_VERSION/protoc-$PROTOBUF_VERSION-linux-x86_64.zip - unzip protoc-$PROTOBUF_VERSION-linux-x86_64.zip - sudo chmod +x bin/protoc && sudo cp bin/protoc /usr/local/bin - - name: Check k8s generated files - run: | - # Set GOBIN to ensure 'go install' binaries end up in the same directory - # as the one actions/setup-go adds to PATH, regardless of GOPATH. - export GOBIN="$HOME/go/bin" - - cd src/github.com/cilium/cilium - contrib/scripts/check-k8s-code-gen.sh diff --git a/.github/workflows/lint-images-base.yaml b/.github/workflows/lint-images-base.yaml deleted file mode 100644 index d9012bf036e2c..0000000000000 --- a/.github/workflows/lint-images-base.yaml +++ /dev/null @@ -1,44 +0,0 @@ -name: Base Image Lint - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: - types: - - opened - - synchronize - - reopened - push: - branches: - - main - - ft/main/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - lint: - name: Lint image build logic - runs-on: ubuntu-22.04 - steps: - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - uses: docker://quay.io/cilium/image-maker:7de7f1c855ce063bdbe57fdfb28599a3ad5ec8f1@sha256:dde8500cbfbb6c41433d376fdfcb3831e2df9cec50cf4f49e8553dc6eba74e72 - name: Run make lint - with: - entrypoint: make - args: -C images lint - - - uses: docker://quay.io/cilium/image-maker:7de7f1c855ce063bdbe57fdfb28599a3ad5ec8f1@sha256:dde8500cbfbb6c41433d376fdfcb3831e2df9cec50cf4f49e8553dc6eba74e72 - name: Check if runtime and builder images are up-to-date - with: - entrypoint: make - args: -C images check-runtime-image check-builder-image - - - name: Check Cilium Envoy image - run: make -C images check-envoy-image diff --git a/.github/workflows/lint-workflows.yaml b/.github/workflows/lint-workflows.yaml deleted file mode 100644 index 489afba37b02c..0000000000000 --- a/.github/workflows/lint-workflows.yaml +++ /dev/null @@ -1,227 +0,0 @@ -name: GitHub Workflow Related Checks - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -jobs: - ginkgo-workflow-comments: - name: Lint Ginko Workflows Comments - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - # Load Ginkgo build from GitHub - - name: Load ginkgo linter from GH cache - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 - id: cache - with: - path: /tmp/.ginkgo-build/ - key: ${{ runner.os }}-ginkgo-linter-${{ hashFiles('src/github.com/cilium/cilium/**/*.go') }} - - - name: Install Go - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - - - name: Build Ginkgo - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium - go install github.com/onsi/ginkgo/ginkgo@v1.16.5 - mkdir -p /tmp/.ginkgo-build - - - name: Building Ginkgo Linter Test - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium - git apply contrib/testing/ginkgo-get-all-test-names.patch - - cd test - /home/runner/go/bin/ginkgo build - strip test.test - tar -cz test.test -f test.tgz - - - name: Store Ginkgo Linter Test in GitHub cache path - if: ${{ steps.cache.outputs.cache-hit != 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium - mkdir -p /tmp/.ginkgo-build/ - if [ -f test/test.tgz ]; then - cp test/test.tgz /tmp/.ginkgo-build/ - echo "file copied" - fi - - - name: Copy Ginkgo binary - if: ${{ steps.cache.outputs.cache-hit == 'true' }} - shell: bash - run: | - cd src/github.com/cilium/cilium/test/ - tar -xf /tmp/.ginkgo-build/test.tgz - - - name: Reading Comments From Workflows - shell: bash - run: | - cd src/github.com/cilium/cilium - - grep '# K8s' .github/actions/ginkgo/main-focus.yaml | \ - sed -e 's/^[[:space:]]\+# //g' | \ - sort -u > /tmp/ginkgo-workflow-comments.txt - - grep '# Runtime' .github/workflows/conformance-runtime.yaml | \ - sed -e 's/^[[:space:]]\+# //g' | \ - sort -u > /tmp/runtime-workflow-comments.txt - - - name: Getting test runs output - shell: bash - run: | - cd src/github.com/cilium/cilium/test - - ./test.test -ginkgo.failFast -ginkgo.dryRun -- --cilium.testScope=K8s | \ - grep TestRun | \ - grep -v 'TestRun\[Top Level\] Runtime' | \ - sed 's/TestRun\[Top Level\]\ //g' | \ - sort -u > /tmp/ginkgo-tests.txt - - ./test.test -ginkgo.failFast -ginkgo.dryRun -- --cilium.testScope=Runtime | \ - grep TestRun | \ - grep -v 'TestRun\[Top Level\] K8s' | \ - sed 's/TestRun\[Top Level\]\ //g' | \ - sort -u > /tmp/runtime-tests.txt - - - name: Checking diff Ginkgo Workflow - shell: bash - run: | - diff /tmp/ginkgo-workflow-comments.txt /tmp/ginkgo-tests.txt --suppress-common-lines - - if [ $? -ne 0 ]; then - echo "" - echo "Ginkgo tests out of sync with comments from GH workflow:" - echo "$diff" - echo "Please fix the comments from .github/actions/ginkgo/main-focus.yaml accordingly" - echo "" - exit 1 - fi - - - name: Checking diff Runtime Workflow - shell: bash - run: | - diff /tmp/runtime-workflow-comments.txt /tmp/runtime-tests.txt --suppress-common-lines - - if [ $? -ne 0 ]; then - echo "" - echo "Ginkgo tests out of sync with comments from GH workflow:" - echo "$diff" - echo "" - echo "Please fix the comments from .github/workflows/conformance-runtime.yaml accordingly" - exit 1 - fi - - ginkgo-schema-validation: - name: Validate Ginko Schema - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 - with: - python-version: '3.10' - - name: Install yamela - run: pip install yamale - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - - name: Validate schema of ginkgo action files - shell: bash - run: | - cd src/github.com/cilium/cilium/.github/actions/ginkgo/ - for type in focus k8s-versions prs scheduled; do - yamale -s ${type}-schema.yaml *-${type}.yaml; - done - - conformance-schema-validation: - name: Validate k8s Versions Schema - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 - with: - python-version: '3.10' - - name: Install yamela - run: pip install yamale - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - - name: Validate schema of aws, azure and gke action files - shell: bash - run: | - for dir in aws azure gke;do - dir_base=".github/actions/${dir}" - file_base="${dir_base}/k8s-versions" - if [ -f ${file_base}.yaml ];then - yamale -s ${file_base}-schema.yaml ${file_base}.yaml; - fi - if [ -f ${dir_base}/test-config-schema.yaml ];then - yamale -s ${dir_base}/test-config-schema.yaml ${dir_base}/test-config-classic.yaml - yamale -s ${dir_base}/test-config-schema.yaml ${dir_base}/test-config-helm.yaml - fi - done - - name-validation: - name: Validate Workflow Names - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # hard-code the path instead of using ${{ github.repository }} to make sure it works for forked repo as well - path: src/github.com/cilium/cilium - - - name: Validate Job and Step names - shell: bash - run: | - EXIT=0 - cd src/github.com/cilium/cilium/.github/workflows - for FILE in *.yaml;do - JOBS=$(yq '.jobs | to_entries | .[] | select(.value.name == null) | " " + .key' $FILE) - STEPS=$(yq '.jobs | to_entries | .[] as $job | $job.value.steps[] | {"key": $job.key, "name": .name} | select(.name == null) | " "+.key' $FILE) - if [ "${JOBS}" != "" ];then - echo Jobs are missing name field, in file $FILE - echo "${JOBS}" | awk '{for (i=1; i<=NF; i++) print " " $i}' - EXIT=1 - fi - if [ "${STEPS}" != "" ];then - echo Steps are missing name field, under these Jobs in file $FILE - echo "${STEPS}" | awk '{for (i=1; i<=NF; i++) print " " $i}' - EXIT=1 - fi - done - exit ${EXIT} diff --git a/.github/workflows/needs-more-info.yaml b/.github/workflows/needs-more-info.yaml deleted file mode 100644 index 36ef29ad73715..0000000000000 --- a/.github/workflows/needs-more-info.yaml +++ /dev/null @@ -1,18 +0,0 @@ -name: Issue Info Complete - -# This workflow is triggered on issue comments. -on: - issue_comment: - types: created - -jobs: - applyNeedsAttentionLabel: - name: Apply Info Complete Label - runs-on: ubuntu-latest - steps: - - name: Apply Needs Attention Label - uses: hramos/needs-attention@d0eaa7f961c04d4da86466b1176b56e0d4089022 # v2.0.0 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - response-required-label: 'need-more-info' - needs-attention-label: 'info-completed' diff --git a/.github/workflows/push-chart-ci.yaml b/.github/workflows/push-chart-ci.yaml deleted file mode 100644 index f39c2e5e3fc3b..0000000000000 --- a/.github/workflows/push-chart-ci.yaml +++ /dev/null @@ -1,173 +0,0 @@ -name: Chart CI Push - -on: - # run after the image build completes - workflow_run: - workflows: - - Image CI Build - - Hot Fix Image Release Build - types: - - completed - # allow manually triggering it as well, for existing refs - workflow_dispatch: - inputs: - checkout_ref: - description: 'Git ref to build. This needs to be a full commit SHA.' - required: true - - # To test: uncomment this and update it to your branch name and push to the branch. - # push: - # branches: - # - ft/main/ - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - group: | - ${{ github.workflow }}-${{ github.event_name }}-${{ - (github.event_name == 'workflow_dispatch' && inputs.checkout_ref) || - (github.event_name == 'workflow_run' && github.event.workflow_run.head_sha) - }} - cancel-in-progress: true - -jobs: - push-charts: - name: Push Charts - runs-on: ubuntu-22.04 - # we also check for push events in case someone is testing the workflow by uncommenting the push trigger above. - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' || github.event_name == 'push' }} - steps: - - name: Checkout GitHub main - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get triggering event ref - id: get-ref - run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - echo ref="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT - echo sha="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT - elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then - if [[ "${{ github.event.workflow_run.head_repository.fork }}" == "true" ]]; then - # use the SHA on forks since the head_branch won't exist in the upstream repository - echo ref="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT - else - echo ref="${{ github.event.workflow_run.head_branch }}" >> $GITHUB_OUTPUT - fi - echo sha="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT - elif [[ "${{ github.event_name }}" == "push" ]]; then - echo ref="${{ github.ref }}" >> $GITHUB_OUTPUT - echo sha="${{ github.sha }}" >> $GITHUB_OUTPUT - else - echo "Invalid event type" - exit 1 - fi - - - name: Set commit status to pending - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: pending - description: Helm push in progress - - - name: Checkout Source Code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - # checkout ref not SHA so we can get useful branch names (see previous comments) - ref: ${{ steps.get-ref.outputs.ref }} - # required for git describe - fetch-depth: 0 - - name: Get version - id: get-version - run: | - set -o pipefail - set -e - if [[ -f ./contrib/scripts/print-chart-version.sh ]]; then - echo "chart_version=$(./contrib/scripts/print-chart-version.sh)" | tee -a $GITHUB_OUTPUT - else - echo "./contrib/scripts/print-chart-version.sh missing. Perhaps it needs to be backported to your target branch?" - exit 1 - fi - - - name: Push charts - uses: cilium/reusable-workflows/.github/actions/push-helm-chart@6ae27958f2f37545bf48e44106b73df05b1f6d12 # v0.1.0 - with: - name: cilium - path: install/kubernetes/cilium - version: ${{ steps.get-version.outputs.chart_version }} - values_file_changes: | - { - - "image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci", - "image.tag": "${{ steps.get-ref.outputs.sha }}", - "image.digest": "", - "image.useDigest": false, - "preflight.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci", - "preflight.image.tag": "${{ steps.get-ref.outputs.sha }}", - "preflight.image.digest": "", - "preflight.image.useDigest": false, - "operator.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator", - "operator.image.suffix": "-ci", - "operator.image.genericDigest": "", - "operator.image.azureDigest": "", - "operator.image.awsDigest": "", - "operator.image.alibabacloudDigest": "", - "operator.image.useDigest": false, - "operator.image.tag": "${{ steps.get-ref.outputs.sha }}", - "hubble.relay.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/hubble-relay-ci", - "hubble.relay.image.tag": "${{ steps.get-ref.outputs.sha }}", - "hubble.relay.image.digest": "", - "hubble.relay.image.useDigest": false, - "clustermesh.apiserver.image.repository": "quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci", - "clustermesh.apiserver.image.tag": "${{ steps.get-ref.outputs.sha }}", - "clustermesh.apiserver.image.digest": "", - "clustermesh.apiserver.image.useDigest": false - } - registry: quay.io - registry_namespace: ${{ env.QUAY_CHARTS_ORGANIZATION_DEV }} - registry_username: ${{ secrets.QUAY_CHARTS_DEV_USERNAME }} - registry_password: ${{ secrets.QUAY_CHARTS_DEV_PASSWORD }} - - - name: Print helm command - run: | - echo "Example commands:" - echo helm template -n kube-system oci://quay.io/${{ env.QUAY_CHARTS_ORGANIZATION_DEV }}/cilium --version ${{ steps.get-version.outputs.chart_version }} - echo helm install cilium -n kube-system oci://quay.io/${{ env.QUAY_CHARTS_ORGANIZATION_DEV }}/cilium --version ${{ steps.get-version.outputs.chart_version }} - - - name: Set commit status to success - if: ${{ success() }} - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: success - description: Helm push successful - - - name: Set commit status to failure - if: ${{ failure() }} - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: failure - description: Helm push failed - - - name: Set commit status to cancelled - if: ${{ cancelled() }} - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ steps.get-ref.outputs.sha }} - status: error - description: Helm push cancelled diff --git a/.github/workflows/scale-test-100-gce.yaml b/.github/workflows/scale-test-100-gce.yaml deleted file mode 100644 index ca06b33106815..0000000000000 --- a/.github/workflows/scale-test-100-gce.yaml +++ /dev/null @@ -1,221 +0,0 @@ -name: 100 Nodes Scale Test - -on: - schedule: - - cron: '39 0 * * 1-5' - -permissions: - # To be able to access the repository with actions/checkout - contents: read - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=github-releases depName=kubernetes/kops - kops_version: v1.28.1 - # renovate: datasource=golang-version depName=go - go_version: 1.21.4 - # Adding k8s.local to the end makes kops happy- - # has stricter DNS naming requirements. - test_name: scale-100 - cluster_base_name: ${{ github.run_id }}-${{ github.run_attempt }}.k8s.local - GCP_PERF_RESULTS_BUCKET: gs://cilium-scale-results - -jobs: - install-and-scaletest: - runs-on: ubuntu-latest - name: Install and Scale Test - timeout-minutes: 150 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.sha }} - - - name: Set up job variables - id: vars - run: | - SHA="${{ github.sha }}" - - # Setup Cilium install options - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --wait=false" - - CLUSTER_NAME="${{ env.test_name }}-${{ env.cluster_base_name }}" - - echo SHA=${SHA} >> $GITHUB_OUTPUT - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo CLUSTER_NAME=${CLUSTER_NAME} >> $GITHUB_OUTPUT - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.SHA }} &> /dev/null; do sleep 45s; done - done - - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version: ${{ env.go_version }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - - - name: Install Kops - uses: cilium/scale-tests-action/install-kops@8a522b9d71254b6f6615c296e41a70610c9615ea # main - with: - release_version: ${{ env.kops_version }} - - - name: Setup gcloud credentials - uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0 - with: - credentials_json: '${{ secrets.GCP_PERF_SA_KEY }}' - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - with: - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - version: "405.0.0" - - - name: Clone ClusterLoader2 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: cilium/perf-tests - ref: 6f1bf283e22aa4c29d5db2a7b52501b091a0912e # master - persist-credentials: false - sparse-checkout: clusterloader2 - path: perf-tests - - - name: Display version info of installed tools - run: | - echo "--- go ---" - go version - echo "--- cilium-cli ---" - cilium version --client - echo "--- kops ---" - ./kops version - echo "--- gcloud ---" - gcloud version - - - name: Deploy cluster - id: deploy-cluster - uses: cilium/scale-tests-action/create-cluster@8a522b9d71254b6f6615c296e41a70610c9615ea # main - timeout-minutes: 30 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - control_plane_size: n1-standard-8 - control_plane_count: 1 - node_size: e2-medium - node_count: 100 - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - - - name: Create Instance Group for resource heavy deployments - uses: cilium/scale-tests-action/create-instance-group@8a522b9d71254b6f6615c296e41a70610c9615ea # main - timeout-minutes: 30 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - node_size: e2-standard-8 - node_count: 1 - ig_name: heapster - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Setup firewall rules - uses: cilium/scale-tests-action/setup-firewall@8a522b9d71254b6f6615c296e41a70610c9615ea # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - - - name: Install Cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for cluster to be ready - uses: cilium/scale-tests-action/validate-cluster@8a522b9d71254b6f6615c296e41a70610c9615ea # main - timeout-minutes: 20 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - - - name: Run CL2 - id: run-cl2 - working-directory: ./perf-tests/clusterloader2 - shell: bash - timeout-minutes: 30 - run: | - mkdir ./report - export CL2_PROMETHEUS_PVC_ENABLED=false - export CL2_ENABLE_PVS=false - export CL2_ENABLE_NETWORKPOLICIES=true - export CL2_ALLOWED_SLOW_API_CALLS=1 - export CL2_SCHEDULER_THROUGHPUT_THRESHOLD=0 - - go run ./cmd/clusterloader.go \ - -v=4 \ - --testconfig=./testing/load/config.yaml \ - --provider=gce \ - --enable-prometheus-server \ - --tear-down-prometheus-server=false \ - --nodes=100 \ - --report-dir=./report \ - --experimental-prometheus-snapshot-to-report-dir=true \ - --kubeconfig=$HOME/.kube/config \ - --testoverrides=./testing/overrides/load_throughput.yaml \ - --testoverrides=./testing/experiments/use_simple_latency_query.yaml \ - 2>&1 | tee cl2-output.txt - - - name: Get sysdump - if: ${{ always() && steps.run-cl2.outcome != 'skipped' && steps.run-cl2.outcome != 'cancelled' }} - run: | - cilium status - cilium sysdump --output-filename cilium-sysdump-final - - - name: Cleanup cluster - if: ${{ always() && steps.deploy-cluster.outcome != 'skipped' }} - uses: cilium/scale-tests-action/cleanup-cluster@8a522b9d71254b6f6615c296e41a70610c9615ea # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Export results and sysdump to GS bucket - if: ${{ always() && steps.run-cl2.outcome != 'skipped' && steps.run-cl2.outcome != 'cancelled' }} - uses: cilium/scale-tests-action/export-results@8a522b9d71254b6f6615c296e41a70610c9615ea # main - with: - results_bucket: ${{ env.GCP_PERF_RESULTS_BUCKET }} - artifacts: ./perf-tests/clusterloader2/report/* - other_files: cilium-sysdump-final.zip ./perf-tests/clusterloader2/cl2-output.txt diff --git a/.github/workflows/scale-test-node-throughput-gce.yaml b/.github/workflows/scale-test-node-throughput-gce.yaml deleted file mode 100644 index 415d0d1684674..0000000000000 --- a/.github/workflows/scale-test-node-throughput-gce.yaml +++ /dev/null @@ -1,207 +0,0 @@ -name: Node Throughput Test - -on: - schedule: - - cron: '39 0 * * *' - -permissions: - # To be able to access the repository with actions/checkout - contents: read - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=github-releases depName=kubernetes/kops - kops_version: v1.28.1 - # renovate: datasource=golang-version depName=go - go_version: 1.21.4 - # Adding k8s.local to the end makes kops happy- - # has stricter DNS naming requirements. - test_name: node-throughput - cluster_base_name: ${{ github.run_id }}-${{ github.run_attempt }}.k8s.local - GCP_PERF_RESULTS_BUCKET: gs://cilium-scale-results - CILIUM_CLI_MODE: helm - -jobs: - install-and-scaletest: - runs-on: ubuntu-latest - name: Install and Scale Test - timeout-minutes: 120 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.sha }} - - - name: Set up job variables - id: vars - run: | - SHA="${{ github.sha }}" - - # Setup Cilium install options - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --wait=false" - - CLUSTER_NAME="${{ env.test_name }}-${{ env.cluster_base_name }}" - - echo SHA=${SHA} >> $GITHUB_OUTPUT - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - echo CLUSTER_NAME=${CLUSTER_NAME} >> $GITHUB_OUTPUT - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.SHA }} &> /dev/null; do sleep 45s; done - done - - - name: Install Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version: ${{ env.go_version }} - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - - - name: Install Kops - uses: cilium/scale-tests-action/install-kops@8a522b9d71254b6f6615c296e41a70610c9615ea # main - with: - release_version: ${{ env.kops_version }} - - - name: Setup gcloud credentials - uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0 - with: - credentials_json: '${{ secrets.GCP_PERF_SA_KEY }}' - - - name: Setup gcloud CLI - uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - with: - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - version: "405.0.0" - - - name: Clone ClusterLoader2 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - repository: cilium/perf-tests - ref: 6f1bf283e22aa4c29d5db2a7b52501b091a0912e # master - persist-credentials: false - sparse-checkout: clusterloader2 - path: perf-tests - - - name: Display version info of installed tools - run: | - echo "--- go ---" - go version - echo "--- cilium-cli ---" - cilium version --client - echo "--- kops ---" - ./kops version - echo "--- gcloud ---" - gcloud version - - - name: Deploy cluster - id: deploy-cluster - uses: cilium/scale-tests-action/create-cluster@8a522b9d71254b6f6615c296e41a70610c9615ea # main - timeout-minutes: 30 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - control_plane_size: n2-standard-4 - control_plane_count: 1 - node_size: e2-standard-8 - node_count: 1 - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - project_id: ${{ secrets.GCP_PERF_PROJECT_ID }} - - - name: Setup firewall rules - uses: cilium/scale-tests-action/setup-firewall@8a522b9d71254b6f6615c296e41a70610c9615ea # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - - - name: Install Cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for cluster to be ready - uses: cilium/scale-tests-action/validate-cluster@8a522b9d71254b6f6615c296e41a70610c9615ea # main - timeout-minutes: 20 - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - - - name: Run CL2 - id: run-cl2 - working-directory: ./perf-tests/clusterloader2 - timeout-minutes: 30 - shell: bash - # --enable-exec-service=false to reduce number of pods so 100 pods can fit in node - # POD_STARTUP_LATENCY_THRESHOLD=60s so the test doesn't fail, currently we have ~30s pods startup latency - run: | - mkdir ./report - echo POD_STARTUP_LATENCY_THRESHOLD: 60s >> ./testoverrides.yaml - go run ./cmd/clusterloader.go \ - -v=4 \ - --testconfig=./testing/node-throughput/config.yaml \ - --testoverrides=./testoverrides.yaml \ - --enable-exec-service=false \ - --provider=gce \ - --enable-prometheus-server \ - --tear-down-prometheus-server=false \ - --report-dir=./report \ - --kubeconfig=$HOME/.kube/config \ - 2>&1 | tee cl2-output.txt - - - name: Get sysdump - if: ${{ always() && steps.run-cl2.outcome != 'skipped' }} - run: | - cilium status - cilium sysdump --output-filename cilium-sysdump-final - - - name: Cleanup cluster - if: ${{ always() && steps.deploy-cluster.outcome != 'skipped' }} - uses: cilium/scale-tests-action/cleanup-cluster@8a522b9d71254b6f6615c296e41a70610c9615ea # main - with: - cluster_name: ${{ steps.vars.outputs.cluster_name }} - kops_state: ${{ secrets.GCP_PERF_KOPS_STATE_STORE }} - - - name: Export results and sysdump to GS bucket - if: ${{ always() && steps.run-cl2.outcome != 'skipped' }} - uses: cilium/scale-tests-action/export-results@8a522b9d71254b6f6615c296e41a70610c9615ea # main - with: - results_bucket: ${{ env.GCP_PERF_RESULTS_BUCKET }} - artifacts: ./perf-tests/clusterloader2/report/* - other_files: cilium-sysdump-final.zip ./perf-tests/clusterloader2/cl2-output.txt diff --git a/.github/workflows/tests-cifuzz.yaml b/.github/workflows/tests-cifuzz.yaml deleted file mode 100644 index badaef9d98b84..0000000000000 --- a/.github/workflows/tests-cifuzz.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: CIFuzz -on: - pull_request: - paths-ignore: - - 'Documentation/**' -permissions: read-all -jobs: - Fuzzing: - name: Build and Run Fuzzers - runs-on: ubuntu-latest - steps: - - name: Build Fuzzers - id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@723bdbc7a8ee1e95af24284583b25d41efc0bd41 - with: - oss-fuzz-project-name: 'cilium' - dry-run: false - language: go - - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@723bdbc7a8ee1e95af24284583b25d41efc0bd41 - with: - oss-fuzz-project-name: 'cilium' - fuzz-seconds: 600 - dry-run: false - language: go - - name: Upload Crash - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - if: failure() && steps.build.outcome == 'success' - with: - name: artifacts - path: ./out/artifacts diff --git a/.github/workflows/tests-clustermesh-upgrade.yaml b/.github/workflows/tests-clustermesh-upgrade.yaml deleted file mode 100644 index 3bc09c51cfe65..0000000000000 --- a/.github/workflows/tests-clustermesh-upgrade.yaml +++ /dev/null @@ -1,560 +0,0 @@ -name: Cilium Cluster Mesh upgrade (ci-clustermesh) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - kind_version: v0.20.0 - # renovate: datasource=docker depName=quay.io/cilium/kindest-node - k8s_version: v1.29.0-rc.1 - cilium_cli_ci_version: - - clusterName1: cluster1 - clusterName2: cluster2 - contextName1: kind-cluster1 - contextName2: kind-cluster2 - -jobs: - commit-status-start: - if: ${{ github.event_name != 'push' }} - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - upgrade-and-downgrade: - name: "Upgrade and Downgrade Test" - runs-on: ubuntu-latest - timeout-minutes: 60 - env: - job_name: "Installation and Connectivity Test" - - strategy: - fail-fast: false - matrix: - include: - - name: '1' - encryption: 'disabled' - kube-proxy: 'iptables' - - - name: '2' - encryption: 'disabled' - kube-proxy: 'none' - - # Currently, ipsec requires to synchronously regenerate the host - # endpoint to ensure ordering (#25735). Given that this is a blocking - # operation, we cannot wait for full clustermesh synchronization - # for an extended period of time, as that would prevent the agents from - # becoming ready (and new pods scheduled). This means that we will - # experience cross-cluster connection drops during upgrades/downgrades, - # given that the timeout is too low to account for the initialization - # of a new clustermesh-apiserver replica (while it is enough to prevent - # issues in case of agent restarts, if all remote clusters are ready). - # - name: '3' - # encryption: 'ipsec' - # kube-proxy: 'iptables' - - - name: '4' - encryption: 'wireguard' - kube-proxy: 'iptables' - - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up newest settings - id: newest-vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ inputs.SHA }} - chart-dir: ./cilium-newest/install/kubernetes/cilium - - - name: Set up job variables - id: vars - run: | - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh) - echo "downgrade_version=${CILIUM_DOWNGRADE_VERSION}" >> $GITHUB_OUTPUT - - # * bpf.masquerade is disabled due to #23283 - # * IPv6 is disabled because an issue under investigation (#28088) seems - # to possibly cause seldom and brief connection disruptions on agent - # restart in dual stack clusters, independently of clustermesh. - # * Hubble is disabled to avoid the performance penalty in the testing - # environment due to the relatively high traffic load. - # * We explicitly configure the sync timeout to a higher value to - # give enough time to the clustermesh-apiserver to restart after - # the upgrade/downgrade before that agents regenerate the endpoints. - CILIUM_INSTALL_DEFAULTS=" \ - --set=debug.enabled=true \ - --set=bpf.masquerade=false \ - --set=bpf.monitorAggregation=none \ - --set=hubble.enabled=false \ - --set=routingMode=tunnel \ - --set=tunnelProtocol=vxlan \ - --set=ipv4.enabled=true \ - --set=ipv6.enabled=false \ - --set=clustermesh.useAPIServer=true \ - --set=clustermesh.config.enabled=true \ - --set=extraConfig.clustermesh-ip-identities-sync-timeout=5m" - - # Run only a limited subset of tests to reduce the amount of time - # required. The full suite is run in conformance-clustermesh. - CONNECTIVITY_TEST_DEFAULTS=" \ - --hubble=false \ - --flow-validation=disabled \ - --test='no-interrupted-connections' \ - --test='no-missed-tail-calls' \ - --test='no-policies/' \ - --test='no-policies-extra/' \ - --test='allow-all-except-world/' \ - --test='client-ingress/' \ - --test='client-egress/' \ - --test='cluster-entity-multicluster/' \ - --test='!/pod-to-world' \ - --test='!/pod-to-cidr' \ - --collect-sysdump-on-failure" - - CILIUM_INSTALL_ENCRYPTION="" - if [ "${{ matrix.encryption }}" != "disabled" ]; then - CILIUM_INSTALL_ENCRYPTION=" \ - --set=encryption.enabled=true \ - --set=encryption.type=${{ matrix.encryption }}" - fi - - echo "cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} ${CILIUM_INSTALL_ENCRYPTION}" >> $GITHUB_OUTPUT - echo "connectivity_test_defaults=${CONNECTIVITY_TEST_DEFAULTS}" >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Generate Kind configuration files - run: | - K8S_VERSION=${{ env.k8s_version }} \ - PODCIDR=10.242.0.0/16,fd00:10:242::/48 \ - SVCCIDR=10.243.0.0/16,fd00:10:243::/112 \ - IPFAMILY=dual \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster1.yaml - - K8S_VERSION=${{ env.k8s_version }} \ - PODCIDR=10.244.0.0/16,fd00:10:244::/48 \ - SVCCIDR=10.245.0.0/16,fd00:10:245::/112 \ - IPFAMILY=dual \ - KUBEPROXYMODE=${{ matrix.kube-proxy }} \ - envsubst < ./.github/kind-config.yaml.tmpl > ./.github/kind-config-cluster2.yaml - - - name: Create Kind cluster 1 - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - cluster_name: ${{ env.clusterName1 }} - version: ${{ env.kind_version }} - kubectl_version: ${{ env.k8s_version }} - config: ./.github/kind-config-cluster1.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Create Kind cluster 2 - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - cluster_name: ${{ env.clusterName2 }} - version: ${{ env.kind_version }} - kubectl_version: ${{ env.k8s_version }} - config: ./.github/kind-config-cluster2.yaml - wait: 0 # The control-plane never becomes ready, since no CNI is present - - - name: Create the IPSec secret in both clusters - if: matrix.encryption == 'ipsec' - run: | - SECRET="3 rfc4106(gcm(aes)) $(openssl rand -hex 20) 128" - kubectl --context ${{ env.contextName1 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - kubectl --context ${{ env.contextName2 }} create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="${SECRET}" - - - name: Set clustermesh connection parameters - id: clustermesh-vars - run: | - # Let's retrieve in advance the parameters to mesh the two clusters, so - # that we don't need to do that through the CLI in a second step, as it - # would be reset during upgrade (as we are resetting the values). - - IP1=$(kubectl --context ${{ env.contextName1 }} get nodes \ - ${{ env.clusterName1 }}-worker -o wide --no-headers | awk '{ print $6 }') - IP2=$(kubectl --context ${{ env.contextName2 }} get nodes \ - ${{ env.clusterName2 }}-worker -o wide --no-headers | awk '{ print $6 }') - - # Explicitly configure the NodePorts to make sure that they are different - # in each cluster, to workaround #24692 - PORT1=32379 - PORT2=32380 - - CILIUM_INSTALL_CLUSTER1=" \ - --set cluster.name=${{ env.clusterName1 }} \ - --set cluster.id=1 \ - --set clustermesh.apiserver.service.nodePort=$PORT1 \ - --set clustermesh.config.clusters[0].name=${{ env.clusterName2 }} \ - --set clustermesh.config.clusters[0].ips={$IP2} \ - --set clustermesh.config.clusters[0].port=$PORT2" - - CILIUM_INSTALL_CLUSTER2=" \ - --set cluster.name=${{ env.clusterName2 }} \ - --set cluster.id=255 \ - --set clustermesh.apiserver.service.nodePort=$PORT2 \ - --set clustermesh.config.clusters[0].name=${{ env.clusterName1 }} \ - --set clustermesh.config.clusters[0].ips={$IP1} \ - --set clustermesh.config.clusters[0].port=$PORT1" - - echo cilium_install_cluster1=$CILIUM_INSTALL_CLUSTER1 >> $GITHUB_OUTPUT - echo cilium_install_cluster2=$CILIUM_INSTALL_CLUSTER2 >> $GITHUB_OUTPUT - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - path: cilium-newest - ref: ${{ steps.newest-vars.outputs.sha }} - sparse-checkout: | - install/kubernetes/cilium - persist-credentials: false - - - name: Checkout ${{ steps.vars.outputs.downgrade_version }} branch - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - path: cilium-downgrade - ref: ${{ steps.vars.outputs.downgrade_version }} - sparse-checkout: | - install/kubernetes/cilium - persist-credentials: false - - - name: Set up downgrade settings - id: downgrade-vars - run: | - SHA="$(cd cilium-downgrade && git rev-parse HEAD)" - CILIUM_IMAGE_SETTINGS=" \ - --chart-directory=./cilium-downgrade/install/kubernetes/cilium \ - --set=image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${SHA} \ - --set=operator.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator-generic-ci:${SHA} \ - --set=clustermesh.apiserver.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/clustermesh-apiserver-ci:${SHA} \ - --set=clustermesh.apiserver.kvstoremesh.image.override=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/kvstoremesh-ci:${SHA} \ - " - echo "sha=${SHA}" >> $GITHUB_OUTPUT - echo "cilium_image_settings=${CILIUM_IMAGE_SETTINGS}" >> $GITHUB_OUTPUT - - - name: Wait for images to be available (newest) - timeout-minutes: 10 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.newest-vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Wait for images to be available (downgrade) - timeout-minutes: 10 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci clustermesh-apiserver-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.downgrade-vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - - name: Install Cilium in cluster1 - id: install-cilium-cluster1 - run: | - cilium --context ${{ env.contextName1 }} install \ - ${{ steps.downgrade-vars.outputs.cilium_image_settings }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} - - - name: Copy the Cilium CA secret to cluster2, as they must match - run: | - kubectl --context ${{ env.contextName1 }} get secret -n kube-system cilium-ca -o yaml | - kubectl --context ${{ env.contextName2 }} create -f - - - - name: Install Cilium in cluster2 - run: | - cilium --context ${{ env.contextName2 }} install \ - ${{ steps.newest-vars.outputs.cilium_install_defaults }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster2 }} - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Make JUnit report directory - run: | - mkdir -p cilium-junits - - - name: Run connectivity test - pre-upgrade (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --junit-file "cilium-junits/${{ env.job_name }} - pre-upgrade (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests pre-upgrade (${{ join(matrix.*, ', ') }})" - - # Create pods which establish long lived connections. They will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} --hubble=false \ - --include-conn-disrupt-test --conn-disrupt-test-setup - - - - name: Upgrade Cilium in cluster1 and enable kvstoremesh - run: | - cilium --context ${{ env.contextName1 }} upgrade --reset-values \ - ${{ steps.newest-vars.outputs.cilium_install_defaults }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} \ - --set clustermesh.apiserver.kvstoremesh.enabled=true - - - name: Rollout Cilium agents in cluster2 - run: | - # This makes sure that the remote agents reconnect to the new instance of the - # clustermesh-apiserver, without waiting for the watchdog mechanism to kick in. - kubectl --context ${{ env.contextName2 }} rollout restart -n kube-system ds/cilium - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Gather additional troubleshooting information - run: | - kubectl --context ${{ env.contextName1 }} get po -n cilium-test -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName2 }} get po -n cilium-test -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName1 }} logs -n cilium-test -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n cilium-test -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n cilium-test -l kind=test-conn-disrupt --prefix --previous --ignore-errors --timestamps - - - name: Run connectivity test - post-upgrade (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --include-conn-disrupt-test \ - --junit-file "cilium-junits/${{ env.job_name }} - post upgrade (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests post-upgrade (${{ join(matrix.*, ', ') }})" - - # Create pods which establish long lived connections. They will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} --hubble=false \ - --include-conn-disrupt-test --conn-disrupt-test-setup - - - # Perform an additional "stress" test, scaling the clustermesh-apiservers in both clusters - # to zero replicas, and restarting all agents. Existing connections should not be disrupted. - - name: Scale the clustermesh-apiserver replicas to 0 - run: | - kubectl --context ${{ env.contextName1 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 0 - kubectl --context ${{ env.contextName2 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 0 - - - name: Rollout Cilium agents in both clusters - run: | - kubectl --context ${{ env.contextName1 }} rollout restart -n kube-system ds/cilium - kubectl --context ${{ env.contextName2 }} rollout restart -n kube-system ds/cilium - - # Wait until all agents successfully restarted before scaling the replicas again - kubectl --context ${{ env.contextName1 }} rollout status -n kube-system ds/cilium --timeout=5m - kubectl --context ${{ env.contextName2 }} rollout status -n kube-system ds/cilium --timeout=5m - - - name: Scale the clustermesh-apiserver replicas back to 1 - run: | - kubectl --context ${{ env.contextName1 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 1 - kubectl --context ${{ env.contextName2 }} scale -n kube-system deploy/clustermesh-apiserver --replicas 1 - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Gather additional troubleshooting information - run: | - kubectl --context ${{ env.contextName1 }} get po -n cilium-test -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName2 }} get po -n cilium-test -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName1 }} logs -n cilium-test -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n cilium-test -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n cilium-test -l kind=test-conn-disrupt --prefix --previous --ignore-errors --timestamps - - - name: Run connectivity test - stress-test (${{ join(matrix.*, ', ') }}) - run: | - # Only check that no long living connection was disrupted - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - --hubble=false \ - --flow-validation=disabled \ - --test='no-interrupted-connections' \ - --test='no-missed-tail-calls' \ - --include-conn-disrupt-test \ - --junit-file "cilium-junits/${{ env.job_name }} - stress test (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests stess-test (${{ join(matrix.*, ', ') }})" - - # Create pods which establish long lived connections. They will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} --hubble=false \ - --include-conn-disrupt-test --conn-disrupt-test-setup - - - - name: Downgrade Cilium in cluster1 and disable kvstoremesh - run: | - cilium --context ${{ env.contextName1 }} upgrade --reset-values \ - ${{ steps.downgrade-vars.outputs.cilium_image_settings }} \ - ${{ steps.vars.outputs.cilium_install_defaults }} \ - ${{ steps.clustermesh-vars.outputs.cilium_install_cluster1 }} - - - name: Rollout Cilium agents in cluster2 - run: | - # This makes sure that the remote agents reconnect to the new instance of the - # clustermesh-apiserver, without waiting for the watchdog mechanism to kick in. - kubectl --context ${{ env.contextName2 }} rollout restart -n kube-system ds/cilium - - - name: Wait for cluster mesh status to be ready - run: | - cilium --context ${{ env.contextName1 }} status --wait - cilium --context ${{ env.contextName2 }} status --wait - cilium --context ${{ env.contextName1 }} clustermesh status --wait --wait-duration=5m - cilium --context ${{ env.contextName2 }} clustermesh status --wait --wait-duration=5m - - - name: Gather additional troubleshooting information - run: | - kubectl --context ${{ env.contextName1 }} get po -n cilium-test -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName2 }} get po -n cilium-test -o wide -l kind=test-conn-disrupt - kubectl --context ${{ env.contextName1 }} logs -n cilium-test -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n cilium-test -l kind=test-conn-disrupt --prefix --timestamps - kubectl --context ${{ env.contextName2 }} logs -n cilium-test -l kind=test-conn-disrupt --prefix --previous --ignore-errors --timestamps - - - name: Run connectivity test - post-downgrade (${{ join(matrix.*, ', ') }}) - run: | - cilium --context ${{ env.contextName1 }} connectivity test \ - --multi-cluster=${{ env.contextName2 }} \ - ${{ steps.vars.outputs.connectivity_test_defaults }} \ - --include-conn-disrupt-test \ - --junit-file "cilium-junits/${{ env.job_name }} - post downgrade (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests post-downgrade (${{ join(matrix.*, ', ') }})" - - - - name: Post-test information gathering - if: ${{ !success() && steps.install-cilium-cluster1.outcome != 'skipped' }} - run: | - cilium --context ${{ env.contextName1 }} status - cilium --context ${{ env.contextName1 }} clustermesh status - cilium --context ${{ env.contextName2 }} status - cilium --context ${{ env.contextName2 }} clustermesh status - - kubectl config use-context ${{ env.contextName1 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context1-final-${{ join(matrix.*, '-') }} - - kubectl config use-context ${{ env.contextName2 }} - kubectl get pods --all-namespaces -o wide - cilium sysdump --output-filename cilium-sysdump-context2-final-${{ join(matrix.*, '-') }} - shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 2 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() && github.event_name != 'push' }} - name: Commit Status Final - needs: upgrade-and-downgrade - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.upgrade-and-downgrade.result }} diff --git a/.github/workflows/tests-datapath-verifier.yaml b/.github/workflows/tests-datapath-verifier.yaml deleted file mode 100644 index 5a389b5e1d2d7..0000000000000 --- a/.github/workflows/tests-datapath-verifier.yaml +++ /dev/null @@ -1,157 +0,0 @@ -name: Datapath BPF Complexity (ci-verifier) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 5/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - # renovate: datasource=golang-version depName=go - go-version: 1.21.4 - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - runs-on: ubuntu-latest-4cores-16gb - name: Setup & Test - strategy: - fail-fast: false - matrix: - include: - # renovate: datasource=docker depName=quay.io/lvh-images/kind - - kernel: '4.19-20231026.065108' - ci-kernel: '419' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - - kernel: '5.4-20231026.065108' - ci-kernel: '54' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - - kernel: '5.10-20231026.065108' - ci-kernel: '510' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - - kernel: '5.15-20231026.065108' - ci-kernel: '510' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - - kernel: '6.1-20231026.065108' - ci-kernel: '61' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - - kernel: 'bpf-next-20231123.012848' - ci-kernel: 'netnext' - timeout-minutes: 60 - steps: - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.SHA || github.sha }} - persist-credentials: false - - - name: Provision LVH VMs - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - test-name: datapath-bpf-complexity - image: 'complexity-test' - image-version: ${{ matrix.kernel }} - host-mount: ./ - cpu: 4 - install-dependencies: 'true' - cmd: | - git config --global --add safe.directory /host - uname -a - # The LVH image might ship with an arbitrary Go toolchain version, - # install the same Go toolchain version as current HEAD. - CGO_ENABLED=0 GOPROXY=direct GOSUMDB= go install golang.org/dl/go${{ env.go-version }}@latest - go${{ env.go-version }} download - - - name: Run verifier tests - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - # Run with cgo disabled, LVH images don't ship with gcc. - CGO_ENABLED=0 go${{ env.go-version }} test -v -parallel=1 ./test/verifier -cilium-base-path /host -ci-kernel-version ${{ matrix.ci-kernel }} - - - name: Fetch artifacts - if: ${{ !success() }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host - mkdir datapath-verifier - find test/verifier -name "*.log" -o -name "*.o" -exec cp {} datapath-verifier/ \; - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: datapath-verifier_${{ matrix.kernel }} - path: datapath-verifier - retention-days: 5 - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-e2e-upgrade.yaml b/.github/workflows/tests-e2e-upgrade.yaml deleted file mode 100644 index 026cfe1a48b60..0000000000000 --- a/.github/workflows/tests-e2e-upgrade.yaml +++ /dev/null @@ -1,490 +0,0 @@ -name: Cilium E2E Upgrade (ci-e2e-upgrade) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 5/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - runs-on: ubuntu-latest-4cores-16gb - name: 'Setup & Test' - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - include: - # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - # ! NOTE: keep conformance-e2e.yaml config in sync ! - # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - - - name: '1' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '4.19-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'vxlan' - - - name: '2' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - - - name: '3' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20231124.100406' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'disabled' - endpoint-routes: 'true' - - - name: '4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20231124.100406' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '5' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20231124.100406' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'dsr' - endpoint-routes: 'true' - egress-gateway: 'true' - host-fw: 'false' # enabling breaks downgrading (missed tail calls) - - - name: '6' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20231026.065108' - kube-proxy: 'none' - kpr: 'true' - tunnel: 'vxlan' - lb-mode: 'snat' - egress-gateway: 'true' - host-fw: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - - - name: '7' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20231128.012937' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - lb-mode: 'snat' - egress-gateway: 'true' - lb-acceleration: 'testing-only' - ingress-controller: 'true' - - - name: '8' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20231128.012937' - kube-proxy: 'iptables' - kpr: 'false' - tunnel: 'geneve' - endpoint-routes: 'true' - - - name: '9' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20231124.100406' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'false' - lb-mode: 'snat' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '10' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.15-20231124.100406' - kube-proxy: 'iptables' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'false' - lb-mode: 'dsr' - endpoint-routes: 'true' - egress-gateway: 'true' - - - name: '11' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '6.1-20231026.065108' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'vxlan' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - - name: '12' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20231128.012937' - kube-proxy: 'none' - kpr: 'true' - devices: '{eth0,eth1}' - secondary-network: 'true' - tunnel: 'disabled' - encryption: 'wireguard' - encryption-node: 'true' - lb-mode: 'snat' - egress-gateway: 'true' - ingress-controller: 'true' - - timeout-minutes: 60 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh) - echo downgrade_version=${CILIUM_DOWNGRADE_VERSION} >> $GITHUB_OUTPUT - - - name: Derive stable Cilium installation config - id: cilium-stable-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.downgrade_version }} - chart-dir: './cilium-${{ steps.vars.outputs.downgrade_version }}/install/kubernetes/cilium/' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' # TODO(brb) maybe it's only needed for <1.14 - - - name: Derive newest Cilium installation config - id: cilium-newest-config - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - devices: ${{ matrix.devices }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Checkout ${{ steps.vars.outputs.downgrade_version }} branch to get the Helm chart - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - path: cilium-${{ steps.vars.outputs.downgrade_version }} - ref: ${{ steps.vars.outputs.downgrade_version }} - persist-credentials: false - - - name: Install Cilium CLI-cli - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - binary-name: cilium-cli - binary-dir: ./ - - - name: Provision LVH VMs - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - test-name: ipsec-upgrade - image-version: ${{ matrix.kernel }} - host-mount: ./ - cpu: 4 - mem: '12G' - install-dependencies: 'true' - cmd: | - git config --global --add safe.directory /host - - - name: Setup K8s cluster - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - ./contrib/scripts/kind.sh --xdp --secondary-network "" 3 "" "" "${{ matrix.kube-proxy }}" \$IP_FAM - - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - - mkdir -p cilium-junits - - - name: Wait for images to be available - timeout-minutes: 10 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium ${{ env.cilium_stable_version }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - CILIUM_CLI_MODE=helm ./cilium-cli install \ - ${{ steps.cilium-stable-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Start conn-disrupt-test - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - # Create pods which establish long lived connections. It will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - ./cilium-cli connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup - - - name: Upgrade Cilium - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - CILIUM_CLI_MODE=helm ./cilium-cli upgrade \ - ${{ steps.cilium-newest-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Test Cilium after upgrade - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - EXTRA="" - if [ "${{ matrix.secondary-network }}" = "true" ]; then - EXTRA="--secondary-network-iface=eth1" - fi - - # Disable check-log-errors due to https://github.com/cilium/cilium-cli/issues/1858 - ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --include-conn-disrupt-test \ - --flush-ct \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests upgrade 2 (${{ join(matrix.*, ', ') }})" \ - \$EXTRA - - # --flush-ct interrupts the flows, so we need to set up again. - ./cilium-cli connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup - - - name: Downgrade Cilium ${{ env.cilium_stable_version }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - CILIUM_CLI_MODE=helm ./cilium-cli upgrade \ - ${{ steps.cilium-stable-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Test Cilium after downgrade to ${{ env.cilium_stable_version }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - EXTRA="" - if [ "${{ matrix.secondary-network }}" = "true" ]; then - EXTRA="--secondary-network-iface=eth1" - fi - - kubectl -n kube-system get pods -l k8s-app=cilium --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | xargs -I'{}' /bin/sh -c "echo '{}' && kubectl -n kube-system exec '{}' -c cilium-agent -- cilium metrics list | grep drop_count" - - ./cilium-cli connectivity test --include-unsafe-tests --collect-sysdump-on-failure \ - --include-conn-disrupt-test \ - --flush-ct \ - --sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \ - --sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-" \ - --junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \ - --junit-property github_job_step="Run tests upgrade 3 (${{ join(matrix.*, ', ') }})" \ - \$EXTRA - - - name: Fetch artifacts - if: ${{ !success() }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host - kubectl -n kube-system get pods -l k8s-app=cilium --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | xargs -I'{}' /bin/sh -c "echo '{}' && kubectl -n kube-system exec '{}' -c cilium-agent -- cilium metrics list | grep drop_count" - kubectl get pods --all-namespaces -o wide - ./cilium-cli status - mkdir -p cilium-sysdumps - ./cilium-cli sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - # To debug https://github.com/cilium/cilium/issues/26062 - head -n -0 /proc/buddyinfo /proc/pagetypeinfo - - - name: Upload artifacts - if: ${{ !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 2 - - - name: Publish Test Results As GitHub Summary - if: ${{ always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-ipsec-upgrade.yaml b/.github/workflows/tests-ipsec-upgrade.yaml deleted file mode 100644 index bce8dc7b5bc81..0000000000000 --- a/.github/workflows/tests-ipsec-upgrade.yaml +++ /dev/null @@ -1,388 +0,0 @@ -name: Cilium IPsec upgrade (ci-ipsec-upgrade) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - # Run every 6 hours - schedule: - - cron: '0 5/6 * * *' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - schedule: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'schedule' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - # renovate: datasource=docker depName=quay.io/cilium/kindest-node - k8s_version: v1.29.0-rc.1 - -jobs: - commit-status-start: - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - runs-on: ubuntu-latest-4cores-16gb - name: 'Setup & Test' - env: - job_name: 'Setup & Test' - strategy: - fail-fast: false - max-parallel: 16 - matrix: - config: ['5.4', '5.10', 'bpf-next'] - mode: ['minor', 'patch'] - include: - # Define three config sets - - config: '5.4' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.4-20231124.100406' - kube-proxy: 'iptables' - kpr: 'disabled' - tunnel: 'disabled' - encryption: 'ipsec' - - - config: '5.10' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: '5.10-20231124.100406' - kube-proxy: 'iptables' - kpr: 'disabled' - tunnel: 'disabled' - encryption: 'ipsec' - endpoint-routes: 'true' - - - config: 'bpf-next' - # renovate: datasource=docker depName=quay.io/lvh-images/kind - kernel: 'bpf-next-20231128.012937' - kube-proxy: 'iptables' - kpr: 'disabled' - tunnel: 'vxlan' - encryption: 'ipsec' - endpoint-routes: 'true' - - # Add names to matrix combinations of {config, mode} - - config: '5.4' - mode: 'minor' - name: '1' - - - config: '5.10' - mode: 'minor' - name: '2' - - - config: 'bpf-next' - mode: 'minor' - name: '3' - - - config: '5.4' - mode: 'patch' - name: '4' - - - config: '5.10' - mode: 'patch' - name: '5' - - - config: 'bpf-next' - mode: 'patch' - name: '6' - - timeout-minutes: 60 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - echo sha=${SHA} >> $GITHUB_OUTPUT - if [ "${{ matrix.mode }}" = "minor" ]; then - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh) - IMAGE_TAG=${CILIUM_DOWNGRADE_VERSION} - else - # Upgrade from / downgrade to patch release. - # In some cases we expect to fail to get the version number, do not - # fail the workflow in such case. This includes: - # - on main branch where we don't have preceeding patch releases - # - on stable branches on top of release preparation commits, where - # we bump the patch version number to 90 and we can't easily - # derive the number of the previous patch release version from - # that. - CILIUM_DOWNGRADE_VERSION=$(contrib/scripts/print-downgrade-version.sh patch || true) - # Pass an empty tag to the cilium-config action to fall back to the - # default release image, without crafting an image path with the - # "-ci" suffix - IMAGE_TAG='' - fi - echo downgrade_version=${CILIUM_DOWNGRADE_VERSION} >> $GITHUB_OUTPUT - echo image_tag=${IMAGE_TAG} >> $GITHUB_OUTPUT - - - name: Derive stable Cilium installation config - id: cilium-stable-config - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.image_tag }} - chart-dir: './cilium-${{ steps.vars.outputs.downgrade_version }}/install/kubernetes/cilium/' - tunnel: ${{ matrix.tunnel }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' - - - name: Derive newest Cilium installation config - id: cilium-newest-config - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: ./.github/actions/cilium-config - with: - image-tag: ${{ steps.vars.outputs.sha }} - chart-dir: './install/kubernetes/cilium' - tunnel: ${{ matrix.tunnel }} - endpoint-routes: ${{ matrix.endpoint-routes }} - ipv6: ${{ matrix.ipv6 }} - kpr: ${{ matrix.kpr }} - lb-mode: ${{ matrix.lb-mode }} - lb-acceleration: ${{ matrix.lb-acceleration }} - encryption: ${{ matrix.encryption }} - encryption-node: ${{ matrix.encryption-node }} - egress-gateway: ${{ matrix.egress-gateway }} - host-fw: ${{ matrix.host-fw }} - mutual-auth: false - misc: 'bpfClockProbe=false,cni.uninstall=false' - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - - - name: Checkout ${{ steps.vars.outputs.downgrade_version }} branch to get the Helm chart - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - path: cilium-${{ steps.vars.outputs.downgrade_version }} - ref: ${{ steps.vars.outputs.downgrade_version }} - persist-credentials: false - - - name: Install Cilium CLI-cli - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - binary-name: cilium-cli - binary-dir: ./ - - - name: Provision LVH VMs - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - test-name: ipsec-upgrade - image-version: ${{ matrix.kernel }} - host-mount: ./ - cpu: 4 - mem: '12G' - install-dependencies: 'true' - cmd: | - git config --global --add safe.directory /host - - - name: Setup K8s cluster (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - IP_FAM="dual" - if [ "${{ matrix.ipv6 }}" == "false" ]; then - IP_FAM="ipv4" - fi - IMAGE=quay.io/cilium/kindest-node:${k8s_version} ./contrib/scripts/kind.sh "" 3 "" "" "${{ matrix.kube-proxy }}" \$IP_FAM - - kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]' - kubectl create -n kube-system secret generic cilium-ipsec-keys \ - --from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128" - - mkdir -p cilium-junits - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Install Cilium ${{ steps.vars.outputs.downgrade_version }} (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - CILIUM_CLI_MODE=helm ./cilium-cli install \ - ${{ steps.cilium-stable-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - # TODO: After Cilium 1.15 release, update to cilium-dbg - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Start conn-disrupt-test - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host/ - - # Create pods which establish long lived connections. It will be used by - # subsequent connectivity tests with --include-conn-disrupt-test to catch any - # interruption in such flows. - ./cilium-cli connectivity test --include-conn-disrupt-test --conn-disrupt-test-setup - - - name: Upgrade Cilium & Test (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: cilium/cilium/.github/actions/conn-disrupt-test@main - with: - job-name: ipsec-upgrade-${{ matrix.name }} - operation-cmd: | - cd /host/ - - CILIUM_CLI_MODE=helm ./cilium-cli upgrade \ - ${{ steps.cilium-newest-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - kubectl -n kube-system exec daemonset/cilium -- cilium-dbg status - - - name: Downgrade Cilium to ${{ steps.vars.outputs.downgrade_version }} & Test (${{ matrix.name }}) - if: ${{ steps.vars.outputs.downgrade_version != '' }} - uses: cilium/cilium/.github/actions/conn-disrupt-test@main - with: - job-name: ipsec-downgrade-${{ matrix.name }} - operation-cmd: | - cd /host/ - - CILIUM_CLI_MODE=helm ./cilium-cli upgrade \ - ${{ steps.cilium-stable-config.outputs.config }} - - ./cilium-cli status --wait - kubectl get pods --all-namespaces -o wide - # TODO: After Cilium 1.15 release, update to cilium-dbg - kubectl -n kube-system exec daemonset/cilium -- cilium status - - - name: Fetch artifacts - if: ${{ steps.vars.outputs.downgrade_version != '' && !success() }} - uses: cilium/little-vm-helper@8410a93e544b7e180a2365e5fdab0724a39bc02a # v0.0.13 - with: - provision: 'false' - cmd: | - cd /host - kubectl get pods --all-namespaces -o wide - ./cilium-cli status - mkdir -p cilium-sysdumps - ./cilium-cli sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final - # To debug https://github.com/cilium/cilium/issues/26062 - head -n -0 /proc/buddyinfo /proc/pagetypeinfo - - - name: Upload artifacts - if: ${{ steps.vars.outputs.downgrade_version != '' && !success() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-sysdumps - path: cilium-sysdump-*.zip - retention-days: 5 - - - name: Upload JUnits [junit] - if: ${{ steps.vars.outputs.downgrade_version != '' && always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: cilium-junits - path: cilium-junits/*.xml - retention-days: 2 - - - name: Publish Test Results As GitHub Summary - if: ${{ steps.vars.outputs.downgrade_version != '' && always() }} - uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 - with: - junit-directory: "cilium-junits" - - commit-status-final: - if: ${{ always() }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-l4lb.yaml b/.github/workflows/tests-l4lb.yaml deleted file mode 100644 index 85e813f59b2ba..0000000000000 --- a/.github/workflows/tests-l4lb.yaml +++ /dev/null @@ -1,145 +0,0 @@ -name: Cilium L4LB XDP (ci-l4lb) - -# Any change in triggers needs to be reflected in the concurrency group. -on: - workflow_dispatch: - inputs: - PR-number: - description: "Pull request number." - required: true - context-ref: - description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." - required: true - SHA: - description: "SHA under test (head of the PR branch)." - required: true - extra-args: - description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." - required: false - default: '{}' - - push: - branches: - - main - - ft/main/** - paths-ignore: - - 'Documentation/**' - -# By specifying the access of one of the scopes, all of those that are not -# specified are set to 'none'. -permissions: - # To be able to access the repository with actions/checkout - contents: read - # To allow retrieving information from the PR API - pull-requests: read - # To be able to set commit status - statuses: write - -concurrency: - # Structure: - # - Workflow name - # - Event type - # - A unique identifier depending on event type: - # - push: SHA - # - workflow_dispatch: PR number - # - # This structure ensures a unique concurrency group name is generated for each - # type of testing, such that re-runs will cancel the previous run. - group: | - ${{ github.workflow }} - ${{ github.event_name }} - ${{ - (github.event_name == 'push' && github.sha) || - (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) - }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - check_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - -jobs: - commit-status-start: - if: ${{ github.event_name != 'push' }} - name: Commit Status Start - runs-on: ubuntu-latest - steps: - - name: Set initial commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - - setup-and-test: - name: Setup & Test - # Ubuntu 22.04 runner uses cgroup v2-only which is needed for some - # our LB functionality - runs-on: ubuntu-22.04 - timeout-minutes: 45 - steps: - - name: Checkout context ref (trusted) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ inputs.context-ref || github.sha }} - persist-credentials: false - - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Set up job variables - id: vars - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - SHA="${{ inputs.SHA }}" - else - SHA="${{ github.sha }}" - fi - - echo sha=${SHA} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - # Warning: since this is a privileged workflow, subsequent workflow job - # steps must take care not to execute untrusted code. - - name: Checkout pull request branch (NOT TRUSTED) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ steps.vars.outputs.sha }} - persist-credentials: false - path: pull-request - - - name: Wait for image to be available - timeout-minutes: 10 - shell: bash - run: | - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done - - - name: Run LoadBalancing test - id: lb-test - run: | - cd ${{ github.workspace }}/test/l4lb && sudo ./test.sh ${{ env.QUAY_ORGANIZATION_DEV }} ${{ steps.vars.outputs.sha }} - - - name: Run NAT46x64 test - run: | - cd ${{ github.workspace }}/test/nat46x64 && sudo ./test.sh ${{ env.QUAY_ORGANIZATION_DEV }} ${{ steps.vars.outputs.sha }} - - - name: Fetch Cilium Standalone LB logs - if: ${{ !success() && steps.lb-test.outcome != 'skipped' }} - run: | - docker exec -t lb-node docker logs cilium-lb - - commit-status-final: - if: ${{ always() && github.event_name != 'push' }} - name: Commit Status Final - needs: setup-and-test - runs-on: ubuntu-latest - steps: - - name: Set final commit status - uses: myrotvorets/set-commit-status-action@38f3f27c7d52fb381273e95542f07f0fba301307 # v2.0.0 - with: - sha: ${{ inputs.SHA || github.sha }} - status: ${{ needs.setup-and-test.result }} diff --git a/.github/workflows/tests-smoke-ipv6.yaml b/.github/workflows/tests-smoke-ipv6.yaml deleted file mode 100644 index 86e64eb60136c..0000000000000 --- a/.github/workflows/tests-smoke-ipv6.yaml +++ /dev/null @@ -1,174 +0,0 @@ -name: Smoke Test with IPv6 - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} - cancel-in-progress: true - -env: - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - KIND_VERSION: v0.20.0 - KIND_CONFIG: .github/kind-config-ipv6.yaml - # Skip external traffic (e.g. 1.1.1.1 and www.google.com) due to no support for IPv6 in github action - CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check-internal.yaml - TIMEOUT: 5m - LOG_TIME: 30m - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-22.04 - outputs: - tested: ${{ steps.tested-tree.outputs.src }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Check code changes - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: tested-tree - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - src: - - '!(test|Documentation)/**' - - conformance-test-ipv6: - needs: check_changes - if: ${{ needs.check_changes.outputs.tested == 'true' }} - runs-on: ubuntu-22.04 - name: Installation and Conformance Test (ipv6) - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.event.pull_request.head.sha }} - - - name: Set image tag - id: sha - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Precheck generated connectivity manifest files - run: | - make -C examples/kubernetes/connectivity-check fmt - make -C examples/kubernetes/connectivity-check all - test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) - - - name: Enable IPv6 in docker - run: | - sudo cat /etc/docker/daemon.json || true - # Keep existing config like cgroup-parent in github action - sudo sh -c "echo '{ \"exec-opts\": [\"native.cgroupdriver=cgroupfs\"], \"cgroup-parent\": \"/actions_job\", \"ipv6\": true, \"fixed-cidr-v6\": \"2001:db8:1::/64\" }' > /etc/docker/daemon.json" - sudo cat /etc/docker/daemon.json - sudo ip -6 route add 2001:db8:1::/64 dev docker0 - sudo sysctl net.ipv6.conf.default.forwarding=1 - sudo sysctl net.ipv6.conf.all.forwarding=1 - sudo systemctl restart docker - - - name: Create kind cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - version: ${{ env.KIND_VERSION }} - config: ${{ env.KIND_CONFIG }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.sha.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Set up install variables - id: vars - run: | - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set nodeinit.enabled=true \ - --helm-set kubeProxyReplacement=true \ - --helm-set ipam.mode=kubernetes \ - --helm-set hubble.enabled=true \ - --helm-set hubble.relay.enabled=true \ - --helm-set ipv6.enabled=true \ - --helm-set ipv4.enabled=false \ - --helm-set routingMode=native \ - --helm-set autoDirectNodeRoutes=true \ - --helm-set ipv6NativeRoutingCIDR=2001:db8:1::/64 \ - --helm-set ingressController.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Run conformance test (e.g. connectivity check without external 1.1.1.1 and www.google.com) - run: | - kubectl apply -f ${{ env.CONFORMANCE_TEMPLATE }} - kubectl wait --for=condition=Available --all deployment --timeout=${{ env.TIMEOUT }} - - - name: Report cluster failure status and capture cilium-sysdump - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - # The following is needed to prevent hubble from receiving an empty - # file (EOF) on stdin and displaying no flows. - shell: 'script -q -e -c "bash --noprofile --norc -eo pipefail {0}"' - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - - - name: Upload cilium-sysdump - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - if: ${{ failure() }} - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip diff --git a/.github/workflows/tests-smoke.yaml b/.github/workflows/tests-smoke.yaml deleted file mode 100644 index bbe2261c62b6e..0000000000000 --- a/.github/workflows/tests-smoke.yaml +++ /dev/null @@ -1,205 +0,0 @@ -name: Smoke Test - -# Any change in triggers needs to be reflected in the concurrency group. -on: - pull_request: {} - push: - branches: - - main - - ft/main/** - merge_group: - types: [checks_requested] - -permissions: read-all - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after || github.event.merge_group && github.run_id }} - cancel-in-progress: ${{ !github.event.merge_group }} - -env: - cilium_cli_ci_version: - CILIUM_CLI_MODE: helm - # renovate: datasource=github-releases depName=kubernetes-sigs/kind - KIND_VERSION: v0.20.0 - KIND_CONFIG: .github/kind-config.yaml - CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check.yaml - TIMEOUT: 2m - LOG_TIME: 30m - PROM_VERSION: 2.34.0 - -jobs: - check_changes: - name: Deduce required tests from code changes - runs-on: ubuntu-22.04 - outputs: - tested: ${{ steps.tested-tree.outputs.src }} - steps: - - name: Checkout code - if: ${{ !github.event.pull_request }} - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - name: Check code changes - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: tested-tree - with: - # For `push` events, compare against the `ref` base branch - # For `pull_request` events, this is ignored and will compare against the pull request base branch - base: ${{ github.ref }} - filters: | - src: - - '!(test|Documentation)/**' - - preflight-clusterrole: - runs-on: ubuntu-latest - name: Preflight Clusterrole Check - steps: - - name: Checkout code - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - name: Check pre-flight clusterrole - run: make check-k8s-clusterrole - - helm-charts: - runs-on: ubuntu-latest - name: Helm Charts Check - steps: - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - name: Run helm-charts - run: | - make -C install/kubernetes - test -z "$(git status --porcelain)" || (echo "please run 'make -C install/kubernetes' and submit your changes"; exit 1) - - conformance-test: - needs: check_changes - if: ${{ needs.check_changes.outputs.tested == 'true' && github.event_name != 'merge_group' }} - runs-on: ubuntu-latest - name: Installation and Conformance Test - steps: - - name: Checkout main branch to access local actions - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - ref: ${{ github.event.repository.default_branch }} - persist-credentials: false - - name: Set Environment Variables - uses: ./.github/actions/set-env-variables - - - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - persist-credentials: false - - - name: Get Cilium's default values - id: default_vars - uses: ./.github/actions/helm-default - with: - image-tag: ${{ github.event.pull_request.head.sha }} - - - name: Set image tag - id: sha - run: | - echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT - - - name: Precheck generated connectivity manifest files - run: | - make -C examples/kubernetes/connectivity-check fmt - make -C examples/kubernetes/connectivity-check all - test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) - - - name: Create kind cluster - uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 - with: - version: ${{ env.KIND_VERSION }} - config: ${{ env.KIND_CONFIG }} - - - name: Wait for images to be available - timeout-minutes: 30 - shell: bash - run: | - for image in cilium-ci operator-generic-ci hubble-relay-ci ; do - until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.sha.outputs.sha }} &> /dev/null; do sleep 45s; done - done - - - name: Set up install variables - id: vars - run: | - CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ - --helm-set nodeinit.enabled=true \ - --helm-set kubeProxyReplacement=true \ - --helm-set ipam.mode=kubernetes \ - --helm-set hubble.relay.enabled=true \ - --helm-set prometheus.enabled=true \ - --helm-set operator.prometheus.enabled=true \ - --helm-set hubble.enabled=true \ - --helm-set=hubble.metrics.enabled=\"{dns,drop,tcp,flow,port-distribution,icmp,http}\" \ - --helm-set ingressController.enabled=true" - - echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT - - - name: Install Cilium CLI - uses: cilium/cilium-cli@beceead2bece1d174e2c11f36e6bfac8ce3f8e7d # v0.15.16 - with: - repository: ${{ env.CILIUM_CLI_RELEASE_REPO }} - release-version: ${{ env.CILIUM_CLI_VERSION }} - ci-version: ${{ env.cilium_cli_ci_version }} - - - name: Install Cilium - id: install-cilium - run: | - cilium install ${{ steps.vars.outputs.cilium_install_defaults }} - - - name: Wait for Cilium status to be ready - run: | - cilium status --wait - kubectl -n kube-system get pods - - - name: Port forward Relay - run: | - cilium hubble port-forward& - sleep 10s - [[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]] - - - name: Run conformance test (e.g. connectivity check) - run: | - kubectl apply -f ${{ env.CONFORMANCE_TEMPLATE }} - kubectl wait --for=condition=Available --all deployment --timeout=${{ env.TIMEOUT }} - - - name: Check prometheus metrics - if: ${{ success() }} - run: | - cd $HOME - cilium_pod=$(kubectl -n kube-system get po -o name --field-selector=status.phase==Running -l 'k8s-app=cilium' -o jsonpath='{.items[0].metadata.name}' ) - kubectl -n kube-system exec $cilium_pod -- sh -c "apt update && apt install curl -y" - kubectl -n kube-system exec $cilium_pod -- curl http://localhost:9962/metrics > metrics.prom - # Install promtool binary release. `go install` doesn't work due to - # https://github.com/prometheus/prometheus/issues/8852 and related issues. - curl -sSL --remote-name-all https://github.com/prometheus/prometheus/releases/download/v${PROM_VERSION}/{prometheus-${PROM_VERSION}.linux-amd64.tar.gz,sha256sums.txt} - sha256sum --check --ignore-missing sha256sums.txt - tar xzvf prometheus-${PROM_VERSION}.linux-amd64.tar.gz prometheus-${PROM_VERSION}.linux-amd64/promtool - rm -f prometheus-${PROM_VERSION}.linux-amd64.tar.gz - sudo mv prometheus-${PROM_VERSION}.linux-amd64/promtool /usr/bin - cat metrics.prom | promtool check metrics - - - name: Report cluster failure status and capture cilium-sysdump - if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} - # The following is needed to prevent hubble from receiving an empty - # file (EOF) on stdin and displaying no flows. - shell: 'script -q -e -c "bash --noprofile --norc -eo pipefail {0}"' - run: | - echo "=== Retrieve cluster state ===" - kubectl get pods --all-namespaces -o wide - cilium status - cilium sysdump --output-filename cilium-sysdump-out - - - name: Upload cilium-sysdump - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - if: ${{ failure() }} - with: - name: cilium-sysdump-out.zip - path: cilium-sysdump-out.zip diff --git a/.github/workflows/update-label-backport-pr.yaml b/.github/workflows/update-label-backport-pr.yaml deleted file mode 100644 index f2a6e2d2d184d..0000000000000 --- a/.github/workflows/update-label-backport-pr.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- - # A reusable workflow designed to be called from the context of a specific - # branch whenever a backport PR is merged. The workflow scans the backport PR - # body to get the list of the backported PRs and updates their labels, replacing - # all "backport-pending/" with "backport-done/". - name: Update labels of backported PRs - on: - workflow_call: - inputs: - pr-body: - required: true - type: string - description: "The PR description containing all the references to the backported PRs." - branch: - required: true - type: string - description: "The stable branch version." - - jobs: - backport-label-updater: - name: Update labels of backported PRs - runs-on: ubuntu-latest - permissions: - pull-requests: write # Adding and removing labels - env: - body: ${{ inputs.pr-body }} - steps: - - name: Pre-process PR body - id: pre-process - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - with: - script: | - const { body } = process.env - return body.replace(/\'/g, '') - .replace(/"/g, '') - .replace(/`/g, '') - .replace(/$/g, '') - result-encoding: string - - - name: Update labels - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - echo "${{steps.pre-process.outputs.result}}" | sed -En "/upstream-prs/ { n; p }" | cut -d ';' -f 1 | grep -Eo '[0-9]+' | while read -r pr; do - echo "Removing label backport-pending/${{ inputs.branch }} from pr #${pr}." - gh pr edit ${pr} --repo "${GITHUB_REPOSITORY}" --remove-label backport-pending/${{ inputs.branch }} - echo "Adding label backport-done/${{ inputs.branch }} to pr #${pr}." - gh pr edit ${pr} --repo "${GITHUB_REPOSITORY}" --add-label backport-done/${{ inputs.branch }} - done