netkit: Don't let systemd change the MAC address #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: K8s Network Policy E2E tests | |
| # Any change in triggers needs to be reflected in the concurrency group. | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - 'Documentation/**' | |
| - 'test/**' | |
| push: | |
| branches: | |
| - main | |
| - ft/main/** | |
| paths-ignore: | |
| - 'Documentation/**' | |
| - 'test/**' | |
| permissions: read-all | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} | |
| cancel-in-progress: true | |
| env: | |
| cluster_name: cilium-testing | |
| jobs: | |
| kubernetes-e2e-net: | |
| name: K8s Network Policy E2E tests | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 45 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| # TODO add "ipv6", "ipv6" fails to install cilium | |
| ipFamily: ["dual"] | |
| env: | |
| IP_FAMILY: ${{ matrix.ipFamily }} | |
| job_name: "K8s network policy tests" | |
| steps: | |
| - name: Collect Workflow Telemetry | |
| uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 | |
| with: | |
| comment_on_pr: false | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set Environment Variables | |
| uses: ./.github/actions/set-env-variables | |
| - name: Enable ipv4 and ipv6 forwarding | |
| run: | | |
| sudo sysctl -w net.ipv6.conf.all.forwarding=1 | |
| sudo sysctl -w net.ipv4.ip_forward=1 | |
| - name: Set up environment (download Kubernetes dependencies) | |
| run: | | |
| TMP_DIR=$(mktemp -d) | |
| # Test binaries | |
| curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/kubernetes-test-linux-amd64.tar.gz -o ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz | |
| tar xvzf ${TMP_DIR}/kubernetes-test-linux-amd64.tar.gz \ | |
| --directory ${TMP_DIR} \ | |
| --strip-components=3 kubernetes/test/bin/ginkgo kubernetes/test/bin/e2e.test | |
| # kubectl | |
| curl -L https://dl.k8s.io/${{ env.KIND_K8S_VERSION }}/bin/linux/amd64/kubectl -o ${TMP_DIR}/kubectl | |
| # kind | |
| curl -Lo ${TMP_DIR}/kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION }}/kind-linux-amd64 | |
| # Install | |
| sudo cp ${TMP_DIR}/ginkgo /usr/local/bin/ginkgo | |
| sudo cp ${TMP_DIR}/e2e.test /usr/local/bin/e2e.test | |
| sudo cp ${TMP_DIR}/kubectl /usr/local/bin/kubectl | |
| sudo cp ${TMP_DIR}/kind /usr/local/bin/kind | |
| sudo chmod +x /usr/local/bin/ginkgo /usr/local/bin/e2e.test /usr/local/bin/kubectl /usr/local/bin/kind | |
| sudo rm -rf ${TMP_DIR} | |
| - name: Create multi node cluster | |
| run: | | |
| cat <<EOF | /usr/local/bin/kind create cluster \ | |
| --name ${{ env.cluster_name}} \ | |
| --image ${{ env.KIND_K8S_IMAGE }} \ | |
| -v7 --retain --config=- | |
| kind: Cluster | |
| apiVersion: kind.x-k8s.io/v1alpha4 | |
| networking: | |
| ipFamily: ${IP_FAMILY} | |
| kubeProxyMode: "none" | |
| disableDefaultCNI: true | |
| nodes: | |
| - role: control-plane | |
| - role: worker | |
| - role: worker | |
| EOF | |
| - name: Workaround CoreDNS for IPv6 airgapped | |
| if: ${{ matrix.ipFamily == 'ipv6' }} | |
| run: | | |
| # Patch CoreDNS to work in Github CI | |
| # 1. Github CI doesn´t offer IPv6 connectivity, so CoreDNS should be configured | |
| # to work in an offline environment: | |
| # https://github.com/coredns/coredns/issues/2494#issuecomment-457215452 | |
| # 2. Github CI adds following domains to resolv.conf search field: | |
| # .net. | |
| # CoreDNS should handle those domains and answer with NXDOMAIN instead of SERVFAIL | |
| # otherwise pods stops trying to resolve the domain. | |
| # Get the current config | |
| original_coredns=$(/usr/local/bin/kubectl get -oyaml -n=kube-system configmap/coredns) | |
| echo "Original CoreDNS config:" | |
| echo "${original_coredns}" | |
| # Patch it | |
| fixed_coredns=$( | |
| printf '%s' "${original_coredns}" | sed \ | |
| -e 's/^.*kubernetes cluster\.local/& net/' \ | |
| -e '/^.*upstream$/d' \ | |
| -e '/^.*fallthrough.*$/d' \ | |
| -e '/^.*forward . \/etc\/resolv.conf$/d' \ | |
| -e '/^.*loop$/d' \ | |
| ) | |
| echo "Patched CoreDNS config:" | |
| echo "${fixed_coredns}" | |
| printf '%s' "${fixed_coredns}" | /usr/local/bin/kubectl apply -f - | |
| - name: Get Cilium's default values | |
| id: default_vars | |
| uses: ./.github/actions/helm-default | |
| with: | |
| image-tag: ${{ github.event.pull_request.head.sha || github.sha }} | |
| - name: Set up job variables | |
| id: vars | |
| run: | | |
| # Note: On Kind, we install Cilium with HostPort (portmap CNI chaining) enabled, | |
| # to ensure coverage of that feature in cilium connectivity test | |
| CILIUM_INSTALL_DEFAULTS="${{ steps.default_vars.outputs.cilium_install_defaults }} \ | |
| --helm-set=cni.chainingMode=portmap \ | |
| --helm-set=kubeProxyReplacement=true \ | |
| --helm-set=identityChangeGracePeriod="0s" \ | |
| --helm-set=sctp.enabled=true" | |
| echo cilium_install_defaults=${CILIUM_INSTALL_DEFAULTS} >> $GITHUB_OUTPUT | |
| echo sha=${{ steps.default_vars.outputs.sha }} >> $GITHUB_OUTPUT | |
| - name: Install Cilium CLI | |
| uses: cilium/cilium-cli@1ea75a067eb7c4ba11a9f082a365f97a14c331db # v0.18.0 | |
| with: | |
| skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} | |
| image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} | |
| image-tag: ${{ steps.vars.outputs.sha }} | |
| - name: Wait for images to be available | |
| timeout-minutes: 30 | |
| shell: bash | |
| run: | | |
| for image in cilium-ci operator-generic-ci hubble-relay-ci ; do | |
| until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done | |
| done | |
| - name: Install Cilium | |
| id: install-cilium | |
| run: | | |
| cilium install --wait ${{ steps.vars.outputs.cilium_install_defaults }} | |
| - name: Run Kubernetes sig-network network policy tests | |
| run: | | |
| # output_dir | |
| mkdir -p _artifacts | |
| # get kubeconfig to pass to the e2e binary | |
| kind get kubeconfig --name ${{ env.cluster_name }} > _artifacts/kubeconfig.conf | |
| # Kubernetes e2e tests use ginkgo and tags to select the tests that should run based on two regex, focus and skip: | |
| # Focus tests: | |
| # Netpol|NetworkPolicy : NetworkPolicy tests ignored by the other workflow | |
| # Skipped tests: | |
| # should.allow.egress.access.to.server.in.CIDR.block - https://github.com/cilium/cilium/issues/9209 | |
| # should.ensure.an.IP.overlapping.both.IPBlock.CIDR.and.IPBlock.Except.is.allowed - https://github.com/cilium/cilium/issues/9209 | |
| # should.enforce.except.clause.while.egress.access.to.server.in.CIDR.block - https://github.com/cilium/cilium/issues/9209 | |
| SKIP_FLAG="should.allow.egress.access.to.server.in.CIDR.block|should.ensure.an.IP.overlapping.both.IPBlock.CIDR.and.IPBlock.Except.is.allowed|should.enforce.except.clause.while.egress.access.to.server.in.CIDR.block" | |
| if [ "${IP_FAMILY}" != "dual" ]; then | |
| SKIP_FLAG="${SKIP_FLAG}|DualStack" | |
| fi | |
| if [ "${IP_FAMILY}" == "ipv4" ]; then | |
| SKIP_FLAG="${SKIP_FLAG}|IPv6" | |
| fi | |
| # Run tests | |
| export KUBERNETES_CONFORMANCE_TEST='y' | |
| export E2E_REPORT_DIR=${PWD}/_artifacts | |
| /usr/local/bin/ginkgo --nodes=10 \ | |
| --focus="(Netpol|NetworkPolicy)" \ | |
| --skip="${SKIP_FLAG}" \ | |
| /usr/local/bin/e2e.test \ | |
| -- \ | |
| --kubeconfig=${PWD}/_artifacts/kubeconfig.conf \ | |
| --provider=local \ | |
| --dump-logs-on-failure=true \ | |
| --report-dir=${E2E_REPORT_DIR} \ | |
| --disable-log-dump=true | |
| - name: Features tested | |
| uses: ./.github/actions/feature-status | |
| with: | |
| title: "Summary of all features tested" | |
| json-filename: "${{ env.job_name }}" | |
| - name: Post-test information gathering | |
| if: ${{ !success() && steps.install-cilium.outcome != 'skipped' }} | |
| run: | | |
| kubectl get pods --all-namespaces -o wide | |
| cilium status | |
| cilium sysdump --output-filename cilium-sysdump-final | |
| /usr/local/bin/kind export logs --name ${{ env.cluster_name }} --verbosity=3 ./_artifacts/logs | |
| shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently | |
| - name: Upload artifacts | |
| if: ${{ !success() }} | |
| uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 | |
| with: | |
| name: cilium-sysdumps | |
| path: cilium-sysdump-*.zip | |
| retention-days: 5 | |
| - name: Upload features tested | |
| if: ${{ always() }} | |
| uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 | |
| with: | |
| name: features-tested | |
| path: ${{ env.job_name }}*.json | |
| - name: Upload cluster logs | |
| if: ${{ !success() }} | |
| uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 | |
| with: | |
| name: kind-logs | |
| path: ./_artifacts/logs | |
| retention-days: 5 | |
| - name: Upload Kubernetes e2e Junit Reports | |
| if: ${{ success() }} | |
| uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 | |
| with: | |
| name: kubernetes-e2e-junit | |
| path: './_artifacts/*.xml' | |
| - name: Publish Test Results As GitHub Summary | |
| if: ${{ always() }} | |
| uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 | |
| with: | |
| junit-directory: "_artifacts" |