diff --git a/.drone.jsonnet b/.drone.jsonnet index c556530ab1..2819f8c807 100644 --- a/.drone.jsonnet +++ b/.drone.jsonnet @@ -477,6 +477,7 @@ local integration_cilium = Step('e2e-cilium', target='e2e-qemu', privileged=true SHORT_INTEGRATION_TEST: 'yes', WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: 'yes', WITH_CUSTOM_CNI: 'cilium', + WITH_FIREWALL: 'accept', QEMU_WORKERS: '2', WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}]', IMAGE_REGISTRY: local_registry, @@ -485,6 +486,18 @@ local integration_cilium_strict = Step('e2e-cilium-strict', target='e2e-qemu', p SHORT_INTEGRATION_TEST: 'yes', WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: 'yes', WITH_CUSTOM_CNI: 'cilium', + WITH_FIREWALL: 'accept', + QEMU_WORKERS: '2', + CILIUM_INSTALL_TYPE: 'strict', + WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]', + IMAGE_REGISTRY: local_registry, +}); +local integration_cilium_strict_kubespan = Step('e2e-cilium-strict-kubespan', target='e2e-qemu', privileged=true, depends_on=[integration_cilium_strict], environment={ + SHORT_INTEGRATION_TEST: 'yes', + WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: 'yes', + WITH_CUSTOM_CNI: 'cilium', + WITH_FIREWALL: 'accept', + WITH_KUBESPAN: 'true', QEMU_WORKERS: '2', CILIUM_INSTALL_TYPE: 'strict', WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]', @@ -532,6 +545,7 @@ local integration_no_cluster_discovery = Step('e2e-no-cluster-discovery', target local integration_kubespan = Step('e2e-kubespan', target='e2e-qemu', privileged=true, depends_on=[integration_no_cluster_discovery], environment={ SHORT_INTEGRATION_TEST: 'yes', WITH_CLUSTER_DISCOVERY: 'true', + WITH_KUBESPAN: 'true', IMAGE_REGISTRY: local_registry, WITH_CONFIG_PATCH: '[{"op": "replace", "path": "/cluster/discovery/registries/kubernetes/disabled", "value": false}]', // use Kubernetes discovery backend }); @@ -621,7 +635,7 @@ local integration_pipelines = [ integration_default_hostname, ]) + integration_trigger(['integration-misc']), Pipeline('integration-extensions', default_pipeline_steps + integration_extensions) + integration_trigger(['integration-extensions']), - Pipeline('integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict]) + integration_trigger(['integration-cilium']), + Pipeline('integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict, integration_cilium_strict_kubespan]) + integration_trigger(['integration-cilium']), Pipeline('integration-qemu-encrypted-vip', default_pipeline_steps + [integration_qemu_encrypted_vip]) + integration_trigger(['integration-qemu-encrypted-vip']), Pipeline('integration-qemu-race', default_pipeline_steps + [build_race, integration_qemu_race]) + integration_trigger(['integration-qemu-race']), Pipeline('integration-qemu-csi', default_pipeline_steps + [integration_qemu_csi]) + integration_trigger(['integration-qemu-csi']), @@ -646,7 +660,7 @@ local integration_pipelines = [ integration_default_hostname, ], [default_cron_pipeline]) + cron_trigger(['thrice-daily', 'nightly']), Pipeline('cron-integration-extensions', default_pipeline_steps + integration_extensions, [default_cron_pipeline]) + cron_trigger(['nightly']), - Pipeline('cron-integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict], [default_cron_pipeline]) + cron_trigger(['nightly']), + Pipeline('cron-integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict, integration_cilium_strict_kubespan], [default_cron_pipeline]) + cron_trigger(['nightly']), Pipeline('cron-integration-qemu-encrypted-vip', default_pipeline_steps + [integration_qemu_encrypted_vip], [default_cron_pipeline]) + cron_trigger(['thrice-daily', 'nightly']), Pipeline('cron-integration-qemu-race', default_pipeline_steps + [build_race, integration_qemu_race], [default_cron_pipeline]) + cron_trigger(['nightly']), Pipeline('cron-integration-qemu-csi', default_pipeline_steps + [integration_qemu_csi], [default_cron_pipeline]) + cron_trigger(['nightly']), diff --git a/hack/test/e2e.sh b/hack/test/e2e.sh index 5e8480d925..8dc2f1bdf8 100755 --- a/hack/test/e2e.sh +++ b/hack/test/e2e.sh @@ -242,11 +242,23 @@ function run_csi_tests { function install_and_run_cilium_cni_tests { get_kubeconfig + case "${WITH_KUBESPAN:-false}" in + true) + CILIUM_NODE_ENCRYPTION=no + CILIUM_TEST_EXTRA_ARGS=("--test="!node-to-node-encryption"") + ;; + *) + CILIUM_NODE_ENCRYPTION=yes + CILIUM_TEST_EXTRA_ARGS=() + ;; + esac + case "${CILIUM_INSTALL_TYPE:-none}" in strict) ${CILIUM_CLI} install \ --set=ipam.mode=kubernetes \ --set=kubeProxyReplacement=true \ + --set=encryption.nodeEncryption=${CILIUM_NODE_ENCRYPTION} \ --set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \ --set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \ --set=cgroup.autoMount.enabled=false \ @@ -260,6 +272,7 @@ function install_and_run_cilium_cni_tests { ${CILIUM_CLI} install \ --set=ipam.mode=kubernetes \ --set=kubeProxyReplacement=false \ + --set=encryption.nodeEncryption=${CILIUM_NODE_ENCRYPTION} \ --set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \ --set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \ --set=cgroup.autoMount.enabled=false \ @@ -275,5 +288,5 @@ function install_and_run_cilium_cni_tests { ${KUBECTL} label ns cilium-test pod-security.kubernetes.io/enforce=privileged # --external-target added, as default 'one.one.one.one' is buggy, and CloudFlare status is of course "all healthy" - ${CILIUM_CLI} connectivity test --test-namespace cilium-test --external-target google.com; ${KUBECTL} delete ns cilium-test + ${CILIUM_CLI} connectivity test --test-namespace cilium-test --external-target google.com "${CILIUM_TEST_EXTRA_ARGS[@]}"; ${KUBECTL} delete ns cilium-test }