Implement FromCIDR ingress tests #1494
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
84626b9
to
23e52c9
Compare
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
328ba35
to
5525ef7
Compare
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
9cff12f
to
f39c180
Compare
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
ba555c0
to
e6f69cd
Compare
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
e6f69cd
to
4a0f01d
Compare
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
4a0f01d
to
bc65b06
Compare
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
bc65b06
to
09cfe15
Compare
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
09cfe15
to
ccdeaf0
Compare
michi-covalent
approved these changes
Apr 11, 2023
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
ccdeaf0
to
c8ea70b
Compare
asauber
reviewed
Apr 14, 2023
christarazi
commented
Apr 14, 2023
| @@ -236,7 +236,7 @@ func addCommonInstallFlags(cmd *cobra.Command, params *install.Parameters) { | |||
| cmd.Flags().BoolVar(¶ms.ListVersions, "list-versions", false, "List all the available versions without actually installing") | |||
| cmd.Flags().BoolVar(¶ms.Wait, "wait", false, "Wait for helm install to finish") | |||
| cmd.Flags().DurationVar(¶ms.WaitDuration, "wait-duration", defaults.StatusWaitDuration, "Maximum time to wait for status") | |||
| cmd.Flags().StringSliceVar(¶ms.NodesWithoutCilium, "nodes-without-cilium", []string{}, "List of node names on which Cilium will not be installed. In Helm installation mode, it's assumed that the no-schedule node labels are present.") | |||
| cmd.Flags().StringSliceVar(¶ms.NodesWithoutCilium, "nodes-without-cilium", []string{}, "List of node names on which Cilium will not be installed. In Helm installation mode, it's assumed that the no-schedule node labels are present and that the infastructure has set up routing on these nodes to provide connectivity within the Cilium cluster.") | |||
There was a problem hiding this comment.
Calling this out as an FYI.
There was a problem hiding this comment.
appreciating the call-out almost one year later 🙏
asauber
approved these changes
Apr 14, 2023
brlbil
approved these changes
Apr 14, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
The daemonset will now be deployed when we detect that the cluster contains a node that is running without Cilium. Signed-off-by: Chris Tarazi <chris@isovalent.com>
Signed-off-by: Chris Tarazi <chris@isovalent.com>
In Helm mode, we want to avoid changing any resource that's not part of the chart itself. This includes adding labels to the Node resource. Therefore, we add steps in the workflow to do this instead. Signed-off-by: Chris Tarazi <chris@isovalent.com>
This is crucial for FromCIDR policy tests where a node that is outside of the cluster (running without Cilium) initiates traffic towards pods within the cluster. In order to allow this, we need to install routes on these nodes which point to the pod CIDR of each node in the cluster, via the node IP. Signed-off-by: Chris Tarazi <chris@isovalent.com>
This commit ensures that --external-from-cidrs is not empty when --nodes-without-cilium was passed when installing Cilium. Otherwise, FromCIDR policy connectivity tests won't work properly. Signed-off-by: Chris Tarazi <chris@isovalent.com>
Preparation for from-cidr.go to be added in subsequent commits. Signed-off-by: Chris Tarazi <chris@isovalent.com>
Refactoring to pass the scenarios as a slice allows us to conditionally add to the slice in the future. Subsequent commits will add scenarios for fromCIDR tests, which will leverage this refactor. Signed-off-by: Chris Tarazi <chris@isovalent.com>
These should cover the tests from the Cilium (github.com/cilium/cilium) Ginkgo suite for FromCIDRs, see [1]. [1]: https://github.com/cilium/cilium/blob/8f9daa8c4e9ccf17c4badaa28aa6c1b0b51924a8/test/k8s/net_policies.go#L488-L557. Signed-off-by: Chris Tarazi <chris@isovalent.com>
The 3rd node does not run Cilium and will be used in the connectivity tests with `--nodes-without-cilium=kind-worker2`. This activates the new tests added in the previous commit. Signed-off-by: Chris Tarazi <chris@isovalent.com>
christarazi
force-pushed
the
pr/christarazi/from-cidr
branch
from
afddc3d
to
e0d6f35
Compare
|
Pushed to fix up an error msg and code comments, so the push had no functional impact. The CI was already green given MLH marked it as ready to merge. |
joestringer
approved these changes
Apr 14, 2023
There was a problem hiding this comment.
I think that architecturally the environment configuration stuff belongs in the setup, though I do agree with Birol that embedding bash like this makes the workflows more complicated and difficult to grok. Maybe at some point we'll just reinvent the workflows as a github action with the relevant logic in it (better code reuse for cilium/cilium that way too). Anyway, now that we're not expanding the security footprint of the deployments this LGTM. I stared at the bash for a while and nothing jumped out.
| EXTERNAL_NODE_IPS=() # Nodes IPs are collected to be passed to the Cilium CLI later on. | ||
|
|
||
| # Loop over each pod CIDR from all nodes. | ||
| for i in "${!EXTERNAL_FROM_CIDRS[@]}"; do |
There was a problem hiding this comment.
I didn't know about getting keys with the ! syntax, TIL.
Comment on lines
+85
to
+87
| if [[ $EXTERNAL_FROM_CIDR =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+$ ]]; then | ||
| IP_FAMILY="v4" | ||
| elif [[ $EXTERNAL_FROM_CIDR =~ ^[0-9a-fA-F:]+/[0-9]+$ ]]; then |
There was a problem hiding this comment.
Not perfect checks for IP address formats but good enough especially in a workflow where I presume we're controlling the inputs.
There was a problem hiding this comment.
Yeah, I'm aware they aren't perfect and went for just good enough to be usable. I wanted to avoid complicating the bash code further with super long regexes, but definitely an item for followup if we can also find a way to make it more readable, i.e. using a variable instead and hide the definition of it.
maintainer-s-little-helper
bot
removed
the
ready-to-merge
aanm
approved these changes
Apr 17, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
christarazi
added a commit
to cilium/cilium
that referenced
this pull request
May 1, 2023
The 3rd node does not run Cilium and will be used in the connectivity tests with `--nodes-without-cilium=kind-worker2`. The same was done in the cilium/cilium-cli repo, see cilium/cilium-cli#1494. Signed-off-by: Chris Tarazi <chris@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Requires #1498 and I pulled out #1501 to a separate PR because it broke CI on cilium/cilium.
Review commit by commit.
Providing commit msg of the most important commit for convenience: