Cyclonus network policy test #85
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Cyclonus network policy test | |
| on: | |
| schedule: | |
| # run once a day at midnight | |
| - cron: '0 0 * * *' | |
| permissions: read-all | |
| env: | |
| # renovate: datasource=github-releases depName=cilium/cilium-cli | |
| cilium_cli_version: v0.15.4 | |
| cilium_cli_ci_version: | |
| KIND_VERSION: v0.17.0 | |
| KIND_CONFIG: .github/kind-config.yaml | |
| CONFORMANCE_TEMPLATE: examples/kubernetes/connectivity-check/connectivity-check.yaml | |
| TIMEOUT: 2m | |
| LOG_TIME: 30m | |
| jobs: | |
| preflight-clusterrole: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| persist-credentials: false | |
| - name: Check pre-flight clusterrole | |
| run: | | |
| cd install/kubernetes/cilium/templates | |
| echo "Checking for differences between preflight and agent clusterrole" | |
| diff \ | |
| -I '^[ ]\{2\}name: cilium.*' \ | |
| -I '^Keep file in sync with.*' \ | |
| -I '{{- if.*' \ | |
| cilium-agent/clusterrole.yaml \ | |
| cilium-preflight/clusterrole.yaml | |
| cyclonus-test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout main branch to access local actions | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| ref: ${{ github.event.repository.default_branch }} | |
| persist-credentials: false | |
| - name: Set Environment Variables | |
| uses: ./.github/actions/set-env-variables | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| with: | |
| persist-credentials: false | |
| - name: Precheck generated connectivity manifest files | |
| run: | | |
| make -C examples/kubernetes/connectivity-check fmt | |
| make -C examples/kubernetes/connectivity-check all | |
| test -z "$(git status --porcelain)" || (echo "please run 'make -C examples/kubernetes/connectivity-check fmt all' and submit your changes"; exit 1) | |
| - name: Set image tag | |
| id: vars | |
| run: | | |
| if [ ${{ github.event.pull_request.head.sha }} != "" ]; then | |
| echo tag=${{ github.event.pull_request.head.sha }} >> $GITHUB_OUTPUT | |
| else | |
| echo tag=${{ github.sha }} >> $GITHUB_OUTPUT | |
| fi | |
| - name: Wait for images to be available | |
| timeout-minutes: 10 | |
| shell: bash | |
| run: | | |
| until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done | |
| until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator-generic-ci:${{ steps.vars.outputs.tag }} &> /dev/null; do sleep 45s; done | |
| - name: Create kind cluster | |
| uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 | |
| with: | |
| version: ${{ env.KIND_VERSION }} | |
| config: ${{ env.KIND_CONFIG }} | |
| - name: Install cilium chart | |
| run: | | |
| helm install cilium ./install/kubernetes/cilium \ | |
| --wait \ | |
| --namespace kube-system \ | |
| --set nodeinit.enabled=true \ | |
| --set kubeProxyReplacement=partial \ | |
| --set socketLB.enabled=false \ | |
| --set externalIPs.enabled=true \ | |
| --set nodePort.enabled=true \ | |
| --set hostPort.enabled=true \ | |
| --set bpf.masquerade=false \ | |
| --set ipam.mode=kubernetes \ | |
| --set image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/cilium-ci \ | |
| --set image.tag=${{ steps.vars.outputs.tag }} \ | |
| --set image.pullPolicy=IfNotPresent \ | |
| --set image.useDigest=false \ | |
| --set operator.image.repository=quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/operator \ | |
| --set operator.image.suffix=-ci \ | |
| --set operator.image.tag=${{ steps.vars.outputs.tag }} \ | |
| --set operator.image.pullPolicy=IfNotPresent \ | |
| --set operator.image.useDigest=false \ | |
| --set prometheus.enabled=true \ | |
| --set operator.prometheus.enabled=true \ | |
| --set hubble.enabled=true \ | |
| --set hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,http}" | |
| kubectl wait -n kube-system --for=condition=Ready -l app.kubernetes.io/part-of=cilium pod --timeout=5m | |
| kubectl rollout -n kube-system status deploy/coredns --timeout=5m | |
| # To make sure that cilium CRD is available (default timeout is 5m) | |
| # https://github.com/cilium/cilium/blob/main/operator/crd.go#L34 | |
| kubectl wait --for condition=Established crd/ciliumnetworkpolicies.cilium.io --timeout=5m | |
| - name: Run cyclonus network policy test | |
| working-directory: test/k8s/manifests/netpol-cyclonus | |
| run: ./test-cyclonus.sh | |
| - name: Install Cilium CLI | |
| if: ${{ failure() }} | |
| uses: cilium/cilium-cli@2037fb55bc81db08b66e315f5f0b9169ce6f30c2 # v0.15.4 | |
| with: | |
| release-version: ${{ env.cilium_cli_version }} | |
| ci-version: ${{ env.cilium_cli_ci_version }} | |
| - name: Report cluster failure status and capture cilium-sysdump | |
| if: ${{ failure() }} | |
| run: | | |
| echo "=== Retrieve cluster state ===" | |
| kubectl get pods --all-namespaces -o wide | |
| cilium status | |
| cilium sysdump --output-filename cilium-sysdump-out | |
| - name: Upload cilium-sysdump | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| if: ${{ failure() }} | |
| with: | |
| name: cilium-sysdump-out.zip | |
| path: cilium-sysdump-out.zip |