Skip to content

Commit

Permalink
Enabled nodeport/KPR when ingress is enabled
Browse files Browse the repository at this point in the history
* Cilium Ingress controller requires Kube-Proxy replacement or at
least nodeport support enabled.
* IPsec is currently not compatible with Kube-Proxy replacement.
* Removed tailing whitespaces

Signed-off-by: Philip Schmid <[email protected]>
  • Loading branch information
PhilipSchmid committed Oct 7, 2024
1 parent 68b74fa commit 2a503ab
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 26 deletions.
14 changes: 7 additions & 7 deletions .github/workflows/conformance-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,10 @@ jobs:
# renovate: datasource=github-releases depName=siderolabs/talos
- 'v1.7.7'
config:
# --- Cilium v1.15 ---
- name: 'Vanilla'
kube-proxy: false
kube-proxy-replacement: "true"
socketlb: false
socketlb: false
bpf-masquerade: true
ipam-mode: 'kubernetes'
ipv4: true
Expand All @@ -37,6 +36,7 @@ jobs:
encryption-type: ipsec
tunnel-mode: vxlan
nodeport: true
ingress-controller: false
steps:
- name: Checkout
uses: actions/checkout@6b42224f41ee5dfe5395e27c8b2746f1f9955030
Expand All @@ -48,7 +48,7 @@ jobs:
role-to-assume: arn:aws:iam::478566851380:role/TalosConformanceCI
aws-region: us-east-2
- uses: hashicorp/setup-terraform@v3
- name: Create Talos Cluster
- name: Create Talos Cluster
run: |
cd test/conformance
./create-ci-env.sh \
Expand Down Expand Up @@ -91,19 +91,19 @@ jobs:
--set kubeProxyReplacement=${{ matrix.config.kube-proxy-replacement }} \
--set socketLB.enabled=${{ matrix.config.socketlb }} \
--set ipam.mode=${{ matrix.config.ipam-mode }} \
--set ingressController.enabled=true \
--set ingressController.enabled=${{ matrix.config.ingress-controller }} \
--set encryption.enabled=${{ matrix.config.encryption-enabled }} \
--set encryption.type=${{ matrix.config.encryption-type }} \
--set tunnelProtocol=${{ matrix.config.tunnel-mode }} \
--set nodePort.enabled=${{ matrix.config.nodeport }}
cilium-cli status --wait
- name: Run E2E Connectivity Tests
- name: Run E2E Connectivity Tests
run: |
cd test/conformance
export $(make print-kubeconfig)
./wait
kubectl create ns cilium-test
kubectl create ns cilium-test
kubectl label ns cilium-test pod-security.kubernetes.io/enforce=privileged
kubectl label ns cilium-test pod-security.kubernetes.io/warn=privileged
cilium-cli connectivity test --collect-sysdump-on-failure
Expand Down Expand Up @@ -131,5 +131,5 @@ jobs:
if: always()
run: |
cd test/conformance
make destroy
make destroy
41 changes: 25 additions & 16 deletions .github/workflows/conformance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ on:
schedule:
# Run weekly.
- cron: '0 9 * * 1'
pull_request:
paths:
- '.github/workflows/conformance.yml'
jobs:
setup-and-test:
runs-on: ubuntu-22.04
Expand All @@ -29,7 +32,7 @@ jobs:
- name: 'Vanilla'
kube-proxy: false
kube-proxy-replacement: "true"
socketlb: false
socketlb: false
bpf-masquerade: true
ipam-mode: 'kubernetes'
ipv4: true
Expand All @@ -38,32 +41,35 @@ jobs:
encryption-type: ipsec
tunnel-mode: vxlan
nodeport: true
ingress-controller: true

- name: 'Wireguard'
kube-proxy: true
kube-proxy: true
kube-proxy-replacement: "true"
socketlb: false
bpf-masquerade: true
socketlb: false
bpf-masquerade: true
ipam-mode: 'kubernetes'
ipv4: true
ipv6: false
encryption-enabled: true
encryption-type: wireguard
tunnel-mode: vxlan
nodeport: true
nodeport: true
ingress-controller: true

- name: 'IPSEC'
kube-proxy: true
kube-proxy: true
kube-proxy-replacement: "false"
socketlb: true
bpf-masquerade: false
ipam-mode: 'kubernetes'
ipv4: true
ipv6: false
encryption-enabled: true
encryption-type: ipsec
encryption-type: ipsec
tunnel-mode: vxlan
nodeport: false
ingress-controller: false

- name: 'No KPR and w/ BPF Masq'
kube-proxy: true
Expand All @@ -75,12 +81,13 @@ jobs:
ipv6: false
encryption-enabled: false
tunnel-mode: vxlan
nodeport: true
nodeport: true
ingress-controller: true

- name: 'Clusterpool IPAM Mode'
kube-proxy: false
kube-proxy-replacement: "true"
socketlb: false
socketlb: false
bpf-masquerade: true
ipam-mode: 'cluster-pool'
ipv4: true
Expand All @@ -89,19 +96,21 @@ jobs:
encryption-type: ipsec
tunnel-mode: vxlan
nodeport: true
ingress-controller: true

- name: 'With Geneve Tunnel'
kube-proxy: false
kube-proxy-replacement: "true"
socketlb: false
socketlb: false
bpf-masquerade: true
ipam-mode: 'kubernetes'
ipv4: true
ipv6: false
encryption-enabled: false
encryption-type: ipsec
tunnel-mode: geneve
tunnel-mode: geneve
nodeport: true
ingress-controller: true

steps:
- name: Checkout
Expand All @@ -114,7 +123,7 @@ jobs:
role-to-assume: arn:aws:iam::478566851380:role/TalosConformanceCI
aws-region: us-east-2
- uses: hashicorp/setup-terraform@v3
- name: Create Talos Cluster
- name: Create Talos Cluster
run: |
cd test/conformance
./create-ci-env.sh \
Expand Down Expand Up @@ -156,19 +165,19 @@ jobs:
--set kubeProxyReplacement=${{ matrix.config.kube-proxy-replacement }} \
--set socketLB.enabled=${{ matrix.config.socketlb }} \
--set ipam.mode=${{ matrix.config.ipam-mode }} \
--set ingressController.enabled=true \
--set ingressController.enabled=${{ matrix.config.ingress-controller }} \
--set encryption.enabled=${{ matrix.config.encryption-enabled }} \
--set encryption.type=${{ matrix.config.encryption-type }} \
--set tunnelProtocol=${{ matrix.config.tunnel-mode }} \
--set nodePort.enabled=${{ matrix.config.nodeport }}
cilium-cli status --wait
- name: Run E2E Connectivity Tests
- name: Run E2E Connectivity Tests
run: |
cd test/conformance
export $(make print-kubeconfig)
./wait
kubectl create ns cilium-test
kubectl create ns cilium-test
kubectl label ns cilium-test pod-security.kubernetes.io/enforce=privileged
kubectl label ns cilium-test pod-security.kubernetes.io/warn=privileged
cilium-cli connectivity test --collect-sysdump-on-failure
Expand Down Expand Up @@ -196,7 +205,7 @@ jobs:
if: always()
run: |
cd test/conformance
make destroy
make destroy
finalize:
runs-on: ubuntu-22.04
Expand Down
6 changes: 3 additions & 3 deletions test/conformance/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ image:

k8s:
requireIPv4PodCIDR: true
requireIPv6PodCIDR: false
requireIPv6PodCIDR: false


devices:
Expand All @@ -17,13 +17,13 @@ enableIPv6Masquerade: true

debug:
enabled: true

# Configure unique cluster name & ID (used for ClusterMesh in the future)
cluster:
id: 1

k8sServiceHost: "localhost"
k8sServicePort: "7445"
k8sServicePort: "7445"

# -- Monitoring and Flow Visibility

Expand Down

0 comments on commit 2a503ab

Please sign in to comment.