Kind #13178

Workflow file for this run

name: Kind
# Any change in triggers needs to be reflected in the concurrency group.
pull_request: {}
- cron: '30 */2 * * *'
group: ${{ github.workflow }}-${{ github.event.pull_request.number || 'scheduled' }}
cancel-in-progress: true
# renovate: datasource=github-releases depName=kubernetes-sigs/kind
kind_version: v0.23.0
kind_config: .github/kind-config.yaml
# renovate: datasource=github-releases depName=cilium/cilium
cilium_version: v1.15.6
kubectl_version: v1.23.6
name: Kind Installation and Connectivity Test
runs-on: ubuntu-22.04
timeout-minutes: 50
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install kubectl
run: |
curl -sLO "${{ env.kubectl_version }}/bin/linux/amd64/kubectl"
curl -sLO "${{ env.kubectl_version }}/bin/linux/amd64/kubectl.sha256"
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
kubectl version --client
- name: Set up Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
# renovate: datasource=golang-version depName=go
go-version: 1.22.4
- name: Set up Go for root
run: |
sudo ln -sf `which go` `sudo which go` || true
sudo go version
- name: Build and install cilium CLI binary
run: sudo make install
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
version: ${{ env.kind_version }}
config: ${{ env.kind_config }}
wait: 0 # The control-plane never becomes ready, since no CNI is present
# Install Cilium with HostPort support and enables Prometheus for extended connectivity test.
- name: Install Cilium
run: |
cilium install \
--version=${{ env.cilium_version }} \
--nodes-without-cilium \
--wait=false \
--set bpf.monitorAggregation=none \
--set cni.chainingMode=portmap \
--set loadBalancer.l7.backend=envoy \
--set tls.secretsBackend=k8s \
--set prometheus.enabled=true
- name: Enable Relay
run: |
cilium hubble enable --ui
cilium status --wait --interactive=false
- name: Relay Port Forward
run: |
cilium hubble port-forward&
sleep 10s
[[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]]
- name: Set up external targets
id: external_targets
run: |
export worker2_ip=$(kubectl get nodes chart-testing-worker2 -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
export worker3_ip=$(kubectl get nodes chart-testing-worker3 -o=jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
echo "worker2_ip=${worker2_ip}" >> $GITHUB_OUTPUT
echo "worker3_ip=${worker3_ip}" >> $GITHUB_OUTPUT
kubectl apply -f
kubectl rollout status -n cert-manager deployment.apps/cert-manager
kubectl rollout status -n cert-manager deployment.apps/cert-manager-webhook
kubectl create ns external-targets
cat .github/external-targets/certs.yaml | envsubst | kubectl apply -n external-targets -f -
until kubectl get secret -n external-targets external-target-cert &> /dev/null; do sleep 1s; done
kubectl apply -n external-targets -f .github/external-targets/nginx.yaml
kubectl rollout status -n external-targets ds/nginx
- name: Connectivity Test
run: |
# Setup the connectivity disruption tests. We don't really care about the result
# here (in the sense that we don't perform any operation which might cause a
# disruption), but we want to make sure that the command works as expected.
# Dispatch interval is set to 100ms, b/c otherwise (default is 0), the flow validation might time out.
cilium connectivity test --test-namespace test-namespace \
--test-concurrency=5 \
--conn-disrupt-dispatch-interval 100ms \
--include-conn-disrupt-test --conn-disrupt-test-setup
# Run the connectivity test in non-default namespace (i.e. not cilium-test)
cilium connectivity test --all-flows --test-namespace test-namespace \
--test-concurrency=5 \
--include-unsafe-tests --include-conn-disrupt-test \
--collect-sysdump-on-failure --junit-file cilium-junit-1.xml \
--junit-property type=no-tunnel \
--curl-insecure \
--external-target chart-testing-worker2 \
--external-target-ca-namespace=external-targets \
--external-target-ca-name=ca \
--external-cidr \
--external-ip ${{ steps.external_targets.outputs.worker2_ip }} \
--external-other-ip ${{ steps.external_targets.outputs.worker3_ip }}
- name: Uninstall cilium
run: |
pkill -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" || test $? -eq 1
cilium uninstall --wait
- name: Install Cilium with IPsec Encryption
run: |
kubectl create -n kube-system secret generic cilium-ipsec-keys \
--from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128"
cilium install \
--version=${{ env.cilium_version}} \
--nodes-without-cilium \
--set encryption.enabled=true \
--set encryption.type=ipsec \
--set kubeProxyReplacement=false
- name: Enable Relay
run: |
cilium hubble enable
cilium status --wait --interactive=false
- name: Relay Port Forward
run: |
cilium hubble port-forward&
sleep 10s
[[ $(pgrep -f "cilium.*hubble.*port-forward|kubectl.*port-forward.*hubble-relay" | wc -l) == 2 ]]
- name: Connectivity test
run: |
cilium connectivity test --force-deploy --all-flows --test-namespace test-namespace \
--test-concurrency=5 \
--include-unsafe-tests \
--collect-sysdump-on-failure --junit-file cilium-junit-2.xml \
--junit-property type=ipsec \
--curl-insecure \
--external-target chart-testing-worker2 \
--external-target-ca-namespace=external-targets \
--external-target-ca-name=ca \
--external-cidr \
--external-ip ${{ steps.external_targets.outputs.worker2_ip }} \
--external-other-ip ${{ steps.external_targets.outputs.worker3_ip }}
- name: Upload JUnit
if: ${{ always() }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
name: cilium-junits
path: cilium-junit*.xml
retention-days: 2
- name: Cleanup
if: ${{ always() }}
run: |
cilium status
kubectl get pods --all-namespaces -o wide
cilium sysdump --output-filename cilium-sysdump-out --hubble-flows-count 10000
shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
- name: Upload sysdump
if: ${{ !success() }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
name: cilium-sysdumps
path: cilium-sysdump-*.zip
retention-days: 5
name: Kind Helm Upgrade Clustermesh
runs-on: ubuntu-22.04
timeout-minutes: 50
kind_config_1: .github/kind-config-1.yaml
kind_config_2: .github/kind-config-2.yaml
# helm/kind-action will override the "name:" provided in the kind config with "chart-testing" unless these are
# specified as inputs. These must also match the suffix here for CLUSTER1 and CLUSTER2.
CLUSTER1: kind-c-1
CLUSTER2: kind-c-2
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Install kubectl
run: |
curl -sLO "${{ env.kubectl_version }}/bin/linux/amd64/kubectl"
curl -sLO "${{ env.kubectl_version }}/bin/linux/amd64/kubectl.sha256"
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
kubectl version --client
- name: Set up Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
# renovate: datasource=golang-version depName=go
go-version: 1.22.4
- name: Set up Go for root
run: |
sudo ln -sf `which go` `sudo which go` || true
sudo go version
- name: Build and install cilium CLI binary
run: sudo make install
- name: Create kind cluster 1
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
version: ${{ env.kind_version }}
config: ${{ env.kind_config_1 }}
cluster_name: ${{ env.CLUSTER_NAME_1 }}
wait: 0 # The control-plane never becomes ready, since no CNI is present
- name: Install Cilium on cluster 1
run: |
cilium install --context $CLUSTER1 \
--version=${{ env.cilium_version }} \
--wait=true \
--set bpf.monitorAggregation=none \
--set cni.chainingMode=portmap \
--set \
--set$CLUSTER1 \
- name: Create kind cluster 2
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
version: ${{ env.kind_version }}
config: ${{ env.kind_config_2 }}
cluster_name: ${{ env.CLUSTER_NAME_2 }}
wait: 0 # The control-plane never becomes ready, since no CNI is present
- name: Install Cilium on cluster 2
run: |
cilium install --context $CLUSTER2 \
--version=${{ env.cilium_version }} \
--wait=true \
--set bpf.monitorAggregation=none \
--set cni.chainingMode=portmap \
--set \
- name: Enable ClusterMesh on cluster 1 using helm-based upgrade
run: |
cilium upgrade --reuse-values --context $CLUSTER1 \
--wait=true \
--set clustermesh.useAPIServer=true \
--set clustermesh.apiserver.service.type=NodePort \
--set clustermesh.apiserver.tls.server.extraDnsNames={"$,$"}
- name: Copy CA cert from cluster 1 to cluster 2
run: |
kubectl --context $CLUSTER2 delete secret -n kube-system cilium-ca && \
kubectl --context $CLUSTER1 get secrets -n kube-system cilium-ca -oyaml \
| kubectl --context $CLUSTER2 apply -f -
# Restart Cilium on cluster 2
kubectl --context $CLUSTER2 delete pod -l -A
- name: Enable ClusterMesh on cluster 2 using helm-based upgrade
run: |
cilium upgrade --reuse-values --context $CLUSTER2 \
--wait=true \
--set clustermesh.useAPIServer=true \
--set clustermesh.apiserver.service.type=NodePort \
--set clustermesh.apiserver.tls.server.extraDnsNames={"$,$"}
- name: Rename the secrets expected by the clustermesh connect command
run: |
kubectl get secrets --context $CLUSTER1 \
-n kube-system clustermesh-apiserver-remote-cert -oyaml \
| sed 's/name: .*/name: clustermesh-apiserver-client-cert/' \
| kubectl apply --context $CLUSTER1 -f -
kubectl get secrets --context $CLUSTER2 \
-n kube-system clustermesh-apiserver-remote-cert -oyaml \
| sed 's/name: .*/name: clustermesh-apiserver-client-cert/' \
| kubectl apply --context $CLUSTER2 -f -
- name: Connect the two clusters using clustermesh
run: |
cilium clustermesh connect --context $CLUSTER1 --destination-context $CLUSTER2
cilium clustermesh status --context $CLUSTER1 --wait
- name: Run the multicluster connectivity tests
run: |
# Remove unused docker stuff to avoid running out of disk space.
docker system prune -fa
# Setup the connectivity disruption tests. We don't really care about the result
# here (in the sense that we don't perform any operation which might cause a
# disruption), but we want to make sure that the command works as expected.
# Dispatch interval is set to 100ms, b/c otherwise (default is 0), the flow validation might time out.
cilium connectivity test --context $CLUSTER1 --multi-cluster $CLUSTER2 \
--conn-disrupt-dispatch-interval 100ms \
--include-conn-disrupt-test --conn-disrupt-test-setup
cilium connectivity test --context $CLUSTER1 --multi-cluster $CLUSTER2 \
--include-unsafe-tests --include-conn-disrupt-test \
--collect-sysdump-on-failure --junit-file cilium-junit-clustermesh-1.xml \
--junit-property mode=clustermesh --junit-property type=ipsec
- name: Upload JUnit
if: ${{ always() }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
name: cilium-junits-helm-upgrade-clustermesh
path: cilium-junit*.xml
retention-days: 2
- name: Cleanup
if: ${{ always() }}
run: |
cilium --context $CLUSTER1 status
kubectl --context $CLUSTER1 get pods --all-namespaces -o wide
cilium --context $CLUSTER1 sysdump --output-filename cilium-sysdump-out-c1
cilium --context $CLUSTER2 status
kubectl --context $CLUSTER2 get pods --all-namespaces -o wide
cilium --context $CLUSTER2 sysdump --output-filename cilium-sysdump-out-c2
shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
- name: Upload sysdump from cluster 1
if: ${{ !success() }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
retention-days: 5
- name: Upload sysdump from cluster 2
if: ${{ !success() }}
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
retention-days: 5