mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-11-01 08:51:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

chore: enable kubespan+firewall for cilium tests

Browse Source 
Enable kubespan and default block firewall with cilium tests.

Signed-off-by: Noel Georgi <git@frezbo.dev>
This commit is contained in:
Noel Georgi 2023-12-04 18:58:45 +05:30
parent 98fd722d51
commit 0c86ca1cc6
No known key found for this signature in database
GPG Key ID: 21A9F444075C9E36
2 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
.drone.jsonnet
View File

@ -477,6 +477,7 @@ local integration_cilium = Step('e2e-cilium', target='e2e-qemu', privileged=true
SHORT_INTEGRATION_TEST: 'yes',
WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: 'yes',
WITH_CUSTOM_CNI: 'cilium',
WITH_FIREWALL: 'accept',
QEMU_WORKERS: '2',
WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}]',
IMAGE_REGISTRY: local_registry,
@ -485,6 +486,18 @@ local integration_cilium_strict = Step('e2e-cilium-strict', target='e2e-qemu', p
SHORT_INTEGRATION_TEST: 'yes',
WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: 'yes',
WITH_CUSTOM_CNI: 'cilium',
WITH_FIREWALL: 'accept',
QEMU_WORKERS: '2',
CILIUM_INSTALL_TYPE: 'strict',
WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]',
IMAGE_REGISTRY: local_registry,
});
local integration_cilium_strict_kubespan = Step('e2e-cilium-strict-kubespan', target='e2e-qemu', privileged=true, depends_on=[integration_cilium_strict], environment={
SHORT_INTEGRATION_TEST: 'yes',
WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: 'yes',
WITH_CUSTOM_CNI: 'cilium',
WITH_FIREWALL: 'accept',
WITH_KUBESPAN: 'true',
QEMU_WORKERS: '2',
CILIUM_INSTALL_TYPE: 'strict',
WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]',
@ -532,6 +545,7 @@ local integration_no_cluster_discovery = Step('e2e-no-cluster-discovery', target
local integration_kubespan = Step('e2e-kubespan', target='e2e-qemu', privileged=true, depends_on=[integration_no_cluster_discovery], environment={
SHORT_INTEGRATION_TEST: 'yes',
WITH_CLUSTER_DISCOVERY: 'true',
WITH_KUBESPAN: 'true',
IMAGE_REGISTRY: local_registry,
WITH_CONFIG_PATCH: '[{"op": "replace", "path": "/cluster/discovery/registries/kubernetes/disabled", "value": false}]', // use Kubernetes discovery backend
});
@ -621,7 +635,7 @@ local integration_pipelines = [
integration_default_hostname,
]) + integration_trigger(['integration-misc']),
Pipeline('integration-extensions', default_pipeline_steps + integration_extensions) + integration_trigger(['integration-extensions']),
Pipeline('integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict]) + integration_trigger(['integration-cilium']),
Pipeline('integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict, integration_cilium_strict_kubespan]) + integration_trigger(['integration-cilium']),
Pipeline('integration-qemu-encrypted-vip', default_pipeline_steps + [integration_qemu_encrypted_vip]) + integration_trigger(['integration-qemu-encrypted-vip']),
Pipeline('integration-qemu-race', default_pipeline_steps + [build_race, integration_qemu_race]) + integration_trigger(['integration-qemu-race']),
Pipeline('integration-qemu-csi', default_pipeline_steps + [integration_qemu_csi]) + integration_trigger(['integration-qemu-csi']),
@ -646,7 +660,7 @@ local integration_pipelines = [
integration_default_hostname,
], [default_cron_pipeline]) + cron_trigger(['thrice-daily', 'nightly']),
Pipeline('cron-integration-extensions', default_pipeline_steps + integration_extensions, [default_cron_pipeline]) + cron_trigger(['nightly']),
Pipeline('cron-integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict], [default_cron_pipeline]) + cron_trigger(['nightly']),
Pipeline('cron-integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict, integration_cilium_strict_kubespan], [default_cron_pipeline]) + cron_trigger(['nightly']),
Pipeline('cron-integration-qemu-encrypted-vip', default_pipeline_steps + [integration_qemu_encrypted_vip], [default_cron_pipeline]) + cron_trigger(['thrice-daily', 'nightly']),
Pipeline('cron-integration-qemu-race', default_pipeline_steps + [build_race, integration_qemu_race], [default_cron_pipeline]) + cron_trigger(['nightly']),
Pipeline('cron-integration-qemu-csi', default_pipeline_steps + [integration_qemu_csi], [default_cron_pipeline]) + cron_trigger(['nightly']),

15
hack/test/e2e.sh
View File

@ -242,11 +242,23 @@ function run_csi_tests {
function install_and_run_cilium_cni_tests {
get_kubeconfig
case "${WITH_KUBESPAN:-false}" in
true)
CILIUM_NODE_ENCRYPTION=no
CILIUM_TEST_EXTRA_ARGS=("--test="!node-to-node-encryption"")
;;
*)
CILIUM_NODE_ENCRYPTION=yes
CILIUM_TEST_EXTRA_ARGS=()
;;
esac
case "${CILIUM_INSTALL_TYPE:-none}" in
strict)
${CILIUM_CLI} install \
--set=ipam.mode=kubernetes \
--set=kubeProxyReplacement=true \
--set=encryption.nodeEncryption=${CILIUM_NODE_ENCRYPTION} \
--set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set=cgroup.autoMount.enabled=false \
@ -260,6 +272,7 @@ function install_and_run_cilium_cni_tests {
${CILIUM_CLI} install \
--set=ipam.mode=kubernetes \
--set=kubeProxyReplacement=false \
--set=encryption.nodeEncryption=${CILIUM_NODE_ENCRYPTION} \
--set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set=cgroup.autoMount.enabled=false \
@ -275,5 +288,5 @@ function install_and_run_cilium_cni_tests {
${KUBECTL} label ns cilium-test pod-security.kubernetes.io/enforce=privileged
# --external-target added, as default 'one.one.one.one' is buggy, and CloudFlare status is of course "all healthy"
${CILIUM_CLI} connectivity test --test-namespace cilium-test --external-target google.com; ${KUBECTL} delete ns cilium-test
${CILIUM_CLI} connectivity test --test-namespace cilium-test --external-target google.com "${CILIUM_TEST_EXTRA_ARGS[@]}"; ${KUBECTL} delete ns cilium-test
}