CiliumEndpointSlice migration (ci-ces-migrate) #68
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CiliumEndpointSlice migration (ci-ces-migrate) | |
| # Any change in triggers needs to be reflected in the concurrency group. | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| PR-number: | |
| description: "Pull request number." | |
| required: true | |
| context-ref: | |
| description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)." | |
| required: true | |
| SHA: | |
| description: "SHA under test (head of the PR branch)." | |
| required: true | |
| extra-args: | |
| description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow." | |
| required: false | |
| default: '{}' | |
| # Run every 8 hours | |
| schedule: | |
| - cron: '0 5/8 * * *' | |
| # By specifying the access of one of the scopes, all of those that are not | |
| # specified are set to 'none'. | |
| permissions: | |
| # To read actions state with catchpoint/workflow-telemetry-action | |
| actions: read | |
| # To be able to access the repository with actions/checkout | |
| contents: read | |
| # To allow retrieving information from the PR API | |
| pull-requests: read | |
| # To be able to set commit status | |
| statuses: write | |
| concurrency: | |
| # Structure: | |
| # - Workflow name | |
| # - Event type | |
| # - A unique identifier depending on event type: | |
| # - push: SHA | |
| # - workflow_dispatch: PR number | |
| # | |
| # This structure ensures a unique concurrency group name is generated for each | |
| # type of testing, such that re-runs will cancel the previous run. | |
| group: | | |
| ${{ github.workflow }} | |
| ${{ github.event_name }} | |
| ${{ | |
| (github.event_name == 'schedule' && github.sha) || | |
| (github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number) | |
| }} | |
| cancel-in-progress: true | |
| env: | |
| cilium_cli_ci_version: | |
| KIND_CONFIG: .github/kind-config.yaml | |
| jobs: | |
| echo-inputs: | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| name: Echo Workflow Dispatch Inputs | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Echo Workflow Dispatch Inputs | |
| run: | | |
| echo '${{ tojson(inputs) }}' | |
| commit-status-start: | |
| name: Commit Status Start | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set initial commit status | |
| uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 | |
| with: | |
| sha: ${{ inputs.SHA || github.sha }} | |
| wait-for-images: | |
| name: Wait for images | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout context ref (trusted) | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| with: | |
| ref: ${{ inputs.context-ref || github.sha }} | |
| persist-credentials: false | |
| - name: Wait for images | |
| uses: ./.github/actions/wait-for-images | |
| with: | |
| SHA: ${{ inputs.SHA }} | |
| images: cilium-ci operator-generic-ci hubble-relay-ci cilium-cli-ci | |
| setup-and-test: | |
| needs: [wait-for-images] | |
| runs-on: ubuntu-latest | |
| name: Installation and Migration Test | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Collect Workflow Telemetry | |
| uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0 | |
| with: | |
| comment_on_pr: false | |
| - name: Checkout target branch to access local actions | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| with: | |
| ref: ${{ github.base_ref || github.ref }} | |
| persist-credentials: false | |
| - name: Set Environment Variables | |
| uses: ./.github/actions/set-env-variables | |
| - name: Set up job variables | |
| id: vars | |
| run: | | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| SHA="${{ inputs.SHA }}" | |
| else | |
| SHA="${{ github.sha }}" | |
| fi | |
| echo sha=${SHA} >> $GITHUB_OUTPUT | |
| - name: Create kind cluster | |
| uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
| with: | |
| version: ${{ env.KIND_VERSION }} | |
| node_image: ${{ env.KIND_K8S_IMAGE }} | |
| kubectl_version: ${{ env.KIND_K8S_VERSION }} | |
| config: ${{ env.KIND_CONFIG }} | |
| wait: 0 # The control-plane never becomes ready, since no CNI is present | |
| - name: Set up install variables | |
| id: cilium-config | |
| uses: ./.github/actions/cilium-config | |
| with: | |
| image-tag: ${{ steps.vars.outputs.sha }} | |
| chart-dir: 'install/kubernetes/cilium' | |
| ipv6: false | |
| egress-gateway: false # Currently incompatible with CES | |
| mutual-auth: false | |
| misc: 'bpfClockProbe=false,cni.uninstall=false' | |
| - name: Install Cilium CLI | |
| uses: cilium/cilium-cli@c39ea5e50210fde2ccfe54d07122c48fd680ac8d # v0.16.18 | |
| with: | |
| skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }} | |
| image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }} | |
| image-tag: ${{ steps.vars.outputs.sha }} | |
| - name: Install Cilium | |
| id: install-cilium | |
| run: | | |
| cilium install ${{ steps.cilium-config.outputs.config }} | |
| - name: Wait for Cilium status to be ready | |
| run: | | |
| cilium status --wait | |
| kubectl get pods --all-namespaces -o wide | |
| mkdir -p cilium-junits | |
| kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status | |
| - name: Setup conn-disrupt-test | |
| uses: ./.github/actions/conn-disrupt-test-setup | |
| - name: Enable CiliumEndpointSlice | |
| shell: bash | |
| run: | | |
| kubectl patch -n kube-system configmap cilium-config --type merge --patch '{"data":{"enable-cilium-endpoint-slice":"true"}}' | |
| kubectl rollout restart -n kube-system deployment cilium-operator | |
| for i in $(seq 1 6); | |
| do | |
| if [[ $(kubectl get crd ciliumendpointslices.cilium.io) != "" ]]; then | |
| break | |
| fi | |
| sleep 10 | |
| done | |
| kubectl wait --for condition=established --timeout=2m crd/ciliumendpointslices.cilium.io | |
| kubectl rollout restart -n kube-system ds cilium | |
| cilium status --wait | |
| kubectl get pods --all-namespaces -o wide | |
| kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status | |
| - name: Run tests after migration | |
| uses: ./.github/actions/conn-disrupt-test-check | |
| with: | |
| job-name: ces-enable | |
| full-test: 'true' | |
| - name: Fetch artifacts | |
| if: ${{ failure() && steps.install-cilium.outcome != 'skipped' }} | |
| # The following is needed to prevent hubble from receiving an empty | |
| # file (EOF) on stdin and displaying no flows. | |
| shell: 'script -q -e -c "bash --noprofile --norc -eo pipefail {0}"' | |
| run: | | |
| echo "=== Retrieve cluster state ===" | |
| kubectl get pods --all-namespaces -o wide | |
| cilium status | |
| mkdir -p cilium-sysdumps | |
| cilium sysdump --output-filename cilium-sysdumps-out | |
| - name: Upload cilium-sysdumps | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| if: ${{ failure() }} | |
| with: | |
| name: cilium-sysdumps-out.zip | |
| path: cilium-sysdumps-out.zip | |
| - name: Upload JUnits [junit] | |
| if: ${{ always() }} | |
| uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
| with: | |
| name: cilium-junits | |
| path: cilium-junits/*.xml | |
| - name: Publish Test Results As GitHub Summary | |
| if: ${{ always() }} | |
| uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3 | |
| with: | |
| junit-directory: "cilium-junits" | |
| commit-status-final: | |
| if: ${{ always() }} | |
| name: Commit Status Final | |
| needs: setup-and-test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set final commit status | |
| uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 | |
| with: | |
| sha: ${{ inputs.SHA || github.sha }} | |
| status: ${{ needs.setup-and-test.result }} |