ci: run only minimal conformance for PR CI.

tommyp1ckles · tommyp1ckles · commit 094c4b82be62 · 2024-03-14T13:41:45.000-07:00
The full suite is too large, we will run this strictly on a schedule.

Signed-off-by: Tom Hadlaw &lt;tom.hadlaw@isovalent.com&gt;
diff --git a/.github/workflows/conformance-13-pr.yml b/.github/workflows/conformance-13-pr.yml
@@ -0,0 +1,131 @@
+# Due to difference in configuring v1.13 and v1.14+ we split v1.13 into
+# seperate workflow.
+# TODO: We can delete this and rely on just the primary conformance.yml to
+# test v1.14/v1.15/v1.16 upon the release of v1.16.
+name: Talos Conformance (v1.13) (PR)
+on:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+  pull_request:
+jobs:
+  setup-and-test:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        cilium:
+          # renovate: datasource=github-releases depName=cilium/cilium
+          - 'v1.13.10'
+        talos:
+          # renovate: datasource=github-releases depName=siderolabs/talos
+          - 'v1.6.5'
+          # renovate: datasource=github-releases depName=siderolabs/talos
+          - 'v1.5.4'
+        config:
+          - name: 'Vanilla'
+            kube-proxy: false
+            kube-proxy-replacement: "strict"
+            socketlb: false
+            bpf-masquerade: true
+            ipam-mode: 'kubernetes'
+            ipv4: true
+            ipv6: false
+            encryption-enabled: false
+            encryption-type: ipsec
+            tunnel-mode: vxlan
+            nodeport: true
+            l7: true
+            ingress: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Configure AWS credentials from shared services account
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::478566851380:role/TalosConformanceCI
+          aws-region: us-east-2
+      - uses: hashicorp/setup-terraform@v3
+      - name: Create Talos Cluster
+        run: |
+          cd test/conformance
+          ./create-ci-env.sh \
+            --kube-proxy ${{ matrix.config.kube-proxy}} \
+            --talos-version ${{ matrix.talos }} \
+            --pr ${{ github.run_number }} \
+            --owner "isovalent/terraform-aws-talos"
+          make apply
+      - name: Install Cilium CLI
+        uses: cilium/cilium-cli@2d69d3f50d783ae22ead9054f14b18074c70b108 # v0.16.1
+        with:
+          repository: cilium/cilium-cli
+          release-version: v0.15.20
+          ci-version: ""
+          binary-name: cilium-cli
+          binary-dir: /usr/local/bin
+      - name: Install Cilium
+        run: |
+          cd test/conformance
+          export $(make print-kubeconfig)
+          kubectl create -n kube-system secret generic cilium-ipsec-keys \
+            --from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128"
+          kubectl create -n kube-system -f ipmasq-config.yaml
+          cilium-cli install --version="${{ matrix.cilium }}" \
+            --values=values.yaml \
+            --set ipv4.enabled=${{ matrix.config.ipv4 }} \
+            --set ipv6.enabled=${{ matrix.config.ipv6 }} \
+            --set bpf.masquerade=${{ matrix.config.bpf-masquerade }} \
+            --set kubeProxyReplacement=${{ matrix.config.kube-proxy-replacement }} \
+            --set socketLB.enabled=${{ matrix.config.socketlb }} \
+            --set ipam.mode=${{ matrix.config.ipam-mode }} \
+            --set ingressController.enabled=${{ matrix.config.ingress }} \
+            --set encryption.enabled=${{ matrix.config.encryption-enabled }} \
+            --set encryption.type=${{ matrix.config.encryption-type }} \
+            --set tunnelProtocol=${{ matrix.config.tunnel-mode }} \
+            --set nodePort.enabled=${{ matrix.config.nodeport }} \
+            --set l7Proxy=${{ matrix.config.l7 }}
+          cilium-cli status --wait
+
+      - name: Run E2E Connectivity Tests
+        run: |
+          cd test/conformance
+          export $(make print-kubeconfig)
+          ./wait
+          kubectl create ns cilium-test
+          kubectl label ns cilium-test pod-security.kubernetes.io/enforce=privileged
+          kubectl label ns cilium-test pod-security.kubernetes.io/warn=privileged
+          cilium-cli connectivity test --collect-sysdump-on-failure
+
+      - name: Fetch artifacts
+        if: ${{ !success() && steps.run-tests.outcome != 'skipped' }}
+        shell: bash
+        run: |
+          cd test/conformance
+          export $(make print-kubeconfig)
+          kubectl get svc -o wide -A
+          kubectl get pods --all-namespaces -o wide
+          cilium-cli status
+          mkdir -p cilium-sysdumps
+          cilium-cli sysdump --output-filename cilium-sysdump-${{ github.run_id }}-${{ github.run_number }}
+
+      - name: Upload artifacts
+        if: ${{ !success() }}
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
+        with:
+          name: cilium-sysdumps-${{ github.run_id }}-${{ github.run_number }}
+          path: ./test/conformance/cilium-sysdump-*.zip
+
+      - name: Cleanup
+        if: always()
+        run: |
+          cd test/conformance
+          make destroy
+
diff --git a/.github/workflows/conformance-13.yml b/.github/workflows/conformance-13.yml
@@ -4,18 +4,9 @@
 # test v1.14/v1.15/v1.16 upon the release of v1.16.
 name: Talos Conformance (v1.13)
 on:
-  pull_request_target:
-    types:
-      - opened
-      - synchronize
-      - reopened
   schedule:
     # Run weekly.
     - cron: '0 9 * * 1'
-  push:
-    branches:
-      - main
-  pull_request:
 jobs:
   setup-and-test:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/conformance-pr.yml b/.github/workflows/conformance-pr.yml
@@ -0,0 +1,127 @@
+name: Talos Conformance (PR)
+on:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+  pull_request:
+jobs:
+  setup-and-test:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        cilium:
+          # renovate: datasource=github-releases depName=cilium/cilium
+          - 'v1.15.1'
+          # renovate: datasource=github-releases depName=cilium/cilium
+          - 'v1.14.5'
+        talos:
+          # renovate: datasource=github-releases depName=siderolabs/talos
+          - 'v1.6.5'
+          # renovate: datasource=github-releases depName=siderolabs/talos
+          - 'v1.5.4'
+        config:
+          # --- Cilium v1.15 ---
+          - name: 'Vanilla'
+            kube-proxy: false
+            kube-proxy-replacement: "true"
+            socketlb: false 
+            bpf-masquerade: true
+            ipam-mode: 'kubernetes'
+            ipv4: true
+            ipv6: false
+            encryption-enabled: false
+            encryption-type: ipsec
+            tunnel-mode: vxlan
+            nodeport: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Configure AWS credentials from shared services account
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::478566851380:role/TalosConformanceCI
+          aws-region: us-east-2
+      - uses: hashicorp/setup-terraform@v3
+      - name: Create Talos Cluster 
+        run: |
+          cd test/conformance
+          ./create-ci-env.sh \
+            --kube-proxy ${{ matrix.config.kube-proxy}} \
+            --talos-version ${{ matrix.talos }} \
+            --pr ${{ github.run_number }} \
+            --owner "isovalent/terraform-aws-talos"
+          make apply
+      - name: Install Cilium CLI
+        uses: cilium/cilium-cli@2d69d3f50d783ae22ead9054f14b18074c70b108 # v0.16.1
+        with:
+          repository: cilium/cilium-cli
+          release-version: v0.15.20
+          ci-version: ""
+          binary-name: cilium-cli
+          binary-dir: /usr/local/bin
+      - name: Install Cilium
+        run: |
+          cd test/conformance
+          export $(make print-kubeconfig)
+          kubectl create -n kube-system secret generic cilium-ipsec-keys \
+            --from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64)) 128"
+          kubectl create -n kube-system -f ipmasq-config.yaml
+          cilium-cli install --version="${{ matrix.cilium }}" \
+            --values=values.yaml \
+            --set ipv4.enabled=${{ matrix.config.ipv4 }} \
+            --set ipv6.enabled=${{ matrix.config.ipv6 }} \
+            --set bpf.masquerade=${{ matrix.config.bpf-masquerade }} \
+            --set kubeProxyReplacement=${{ matrix.config.kube-proxy-replacement }} \
+            --set socketLB.enabled=${{ matrix.config.socketlb }} \
+            --set ipam.mode=${{ matrix.config.ipam-mode }} \
+            --set ingressController.enabled=true \
+            --set encryption.enabled=${{ matrix.config.encryption-enabled }} \
+            --set encryption.type=${{ matrix.config.encryption-type }} \
+            --set tunnelProtocol=${{ matrix.config.tunnel-mode }} \
+            --set nodePort.enabled=${{ matrix.config.nodeport }}
+          cilium-cli status --wait
+
+      - name: Run E2E Connectivity Tests 
+        run: |
+          cd test/conformance
+          export $(make print-kubeconfig)
+          ./wait
+          kubectl create ns cilium-test 
+          kubectl label ns cilium-test pod-security.kubernetes.io/enforce=privileged
+          kubectl label ns cilium-test pod-security.kubernetes.io/warn=privileged
+          cilium-cli connectivity test --collect-sysdump-on-failure
+
+      - name: Fetch artifacts
+        if: ${{ !success() && steps.run-tests.outcome != 'skipped' }}
+        shell: bash
+        run: |
+          cd test/conformance
+          export $(make print-kubeconfig)
+          kubectl get svc -o wide -A
+          kubectl get pods --all-namespaces -o wide
+          cilium-cli status
+          mkdir -p cilium-sysdumps
+          cilium-cli sysdump --output-filename cilium-sysdump-${{ github.run_id }}-${{ github.run_number }}
+
+      - name: Upload artifacts
+        if: ${{ !success() }}
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: cilium-sysdumps-${{ github.run_id }}-${{ github.run_number }}
+          path: ./test/conformance/cilium-sysdump-*.zip
+
+      - name: Cleanup
+        if: always()
+        run: |
+          cd test/conformance
+          make destroy 
+
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -1,17 +1,8 @@
 name: Talos Conformance
 on:
-  pull_request_target:
-    types:
-      - opened
-      - synchronize
-      - reopened
   schedule:
     # Run weekly.
     - cron: '0 9 * * 1'
-  push:
-    branches:
-      - main
-  pull_request:
 jobs:
   setup-and-test:
     runs-on: ubuntu-22.04
