Skip to content

Commit

Permalink
external-workloads: Run cilium-cli inside a container
Browse files Browse the repository at this point in the history
Update externalworklads.yaml to run cilium-cli inside a container
instead of using cilium-cli-test-job-chart. Update docker run command to
specify --user flag so that install-external-workload.sh gets created
with correct permissions.

Ref: #2623
Ref: #2627
Ref: cilium/design-cfps#9

Signed-off-by: Michi Mutsuzaki <[email protected]>
  • Loading branch information
michi-covalent committed Jun 25, 2024
1 parent 9658f02 commit 2e7f6ab
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 136 deletions.
42 changes: 0 additions & 42 deletions .github/in-cluster-test-scripts/external-workloads-install.sh

This file was deleted.

10 changes: 0 additions & 10 deletions .github/in-cluster-test-scripts/external-workloads.sh

This file was deleted.

1 change: 1 addition & 0 deletions .github/tools/cilium.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ CILIUM_CLI_IMAGE_REPO=${CILIUM_CLI_IMAGE_REPO:-quay.io/cilium/cilium-cli-ci}
CILIUM_CLI_IMAGE_TAG=${CILIUM_CLI_IMAGE_TAG:-latest}

docker run \
--user "$(id -u):$(id -g)" \
--network host \
-v ~/.kube/config:/root/.kube/config \
-v "$(pwd)":/root/app \
Expand Down
134 changes: 50 additions & 84 deletions .github/workflows/externalworkloads.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -147,55 +147,52 @@ jobs:
run: |
gcloud container clusters get-credentials ${{ env.clusterName }} --zone ${{ env.zone }}
- name: Create gcloud-free kubeconfig and load it in configmap
run: |
.github/get-kubeconfig.sh
kubectl create configmap cilium-cli-kubeconfig -n kube-system --from-file kubeconfig
- name: Load cilium install script in configmap
run: |
kubectl create configmap cilium-cli-test-script-install -n kube-system --from-file=in-cluster-test-script.sh=.github/in-cluster-test-scripts/external-workloads-install.sh
- name: Create cilium-cli install job
run: |
helm install .github/cilium-cli-test-job-chart \
--generate-name \
--set tag=${{ steps.vars.outputs.sha }} \
--set cilium_version=${{ env.cilium_version }} \
--set cluster_name=${{ env.clusterName }} \
--set job_name=cilium-cli-install \
--set test_script_cm=cilium-cli-test-script-install \
--set vm_name=${{ env.vmName }} \
--set cluster_cidr=${{ steps.cluster.outputs.cluster_cidr }}
- name: Wait for install job
env:
timeout: 10m
run: |
# Background wait for job to complete or timeout
kubectl -n kube-system wait job/cilium-cli-install --for=condition=complete --timeout=${{ env.timeout }} &
complete_pid=$!
# Background wait for job to fail
(kubectl -n kube-system wait job/cilium-cli-install --for=condition=failed --timeout=${{ env.timeout }} && exit 1) &
failed_pid=$!
# Active wait for whichever background process ends first
wait -n $complete_pid $failed_pid
EXIT_CODE=$?
# Retrieve job logs
kubectl logs --timestamps -n kube-system job/cilium-cli-install
exit ${EXIT_CODE}
shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
- name: Install Cilium CLI
uses: ./
with:
skip-build: 'true'
image-tag: ${{ steps.vars.outputs.sha }}

- name: Install Cilium
timeout-minutes: 10
run: |
# Install Cilium in cluster
cilium install \
--version "${{ env.cilium_version }}" \
--set cluster.name="${{ env.clusterName }}" \
--set bpf.monitorAggregation=none \
--datapath-mode=tunnel \
--set kubeProxyReplacement=true \
--set loadBalancer.l7.backend=envoy \
--set tls.secretsBackend=k8s \
--set ipv4NativeRoutingCIDR="${{ steps.cluster.outputs.cluster_cidr }}"
# Enable Relay
cilium hubble enable
# Wait for cilium and hubble relay to be ready
# NB: necessary to work against occassional flakes due to https://github.com/cilium/cilium-cli/issues/918
cilium status --wait
# Enable cluster mesh
# Explicitly specify LoadBalancer service type since the default type is NodePort in helm mode.
# Ref: https://github.com/cilium/cilium-cli/pull/1527#discussion_r1177244379
#
# In Helm mode, externalWorkloads.enabled is set to false by default. You need to pass
# --enable-external-workloads flag to enable it.
# Ref: https://github.com/cilium/cilium/pull/25259
cilium clustermesh enable --service-type LoadBalancer --enable-external-workloads
# Wait for cluster mesh status to be ready
cilium clustermesh status --wait
# Add VM to cluster mesh
cilium clustermesh vm create ${{ env.vmName }} -n default --ipv4-alloc-cidr 10.192.1.0/30
cilium clustermesh vm status
- name: Copy VM install script from cilium-cli-install pod
run: |
kubectl -n kube-system get configmap install-external-workload-script -o go-template='{{ .data.script }}' > install-external-workload.sh
# Create install script for VMs
cilium clustermesh vm install install-external-workload.sh --config debug
chmod +x install-external-workload.sh
- name: Finish installing Cilium on VM
run: |
gcloud compute scp install-external-workload.sh ${{ env.vmName }}:~/ --zone ${{ env.zone }}
gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} \
--command "~/install-external-workload.sh"
Expand All @@ -213,38 +210,14 @@ jobs:
gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} \
--command "ping -c 3 \$(sudo cilium service list get -o jsonpath='{[?(@.spec.flags.name==\"clustermesh-apiserver\")].spec.backend-addresses[0].ip}')"
- name: Load cilium test script in configmap
- name: Run Test
timeout-minutes: 15
run: |
kubectl create configmap cilium-cli-test-script -n kube-system --from-file=in-cluster-test-script.sh=.github/in-cluster-test-scripts/external-workloads.sh
# Run connectivity test
cilium connectivity test --debug --all-flows --collect-sysdump-on-failure --external-target google.com.
- name: Create cilium-cli test job
run: |
helm install .github/cilium-cli-test-job-chart \
--generate-name \
--set tag=${{ steps.vars.outputs.sha }} \
--set job_name=cilium-cli \
--set test_script_cm=cilium-cli-test-script
- name: Wait for test job
env:
timeout: 15m
run: |
# Background wait for job to complete or timeout
kubectl -n kube-system wait job/cilium-cli --for=condition=complete --timeout=${{ env.timeout }} &
complete_pid=$!
# Background wait for job to fail
(kubectl -n kube-system wait job/cilium-cli --for=condition=failed --timeout=${{ env.timeout }} && exit 1) &
failed_pid=$!
# Active wait for whichever background process ends first
wait -n $complete_pid $failed_pid
EXIT_CODE=$?
# Retrieve job logs
kubectl logs --timestamps -n kube-system job/cilium-cli
exit ${EXIT_CODE}
shell: bash {0} # Disable default fail-fast behaviour so that all commands run independently
# Run performance test
cilium connectivity perf --duration 1s
- name: Post-test information gathering
if: ${{ !success() }}
Expand All @@ -253,13 +226,6 @@ jobs:
gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} --command "sudo cilium status"
gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} --command "sudo docker logs cilium --timestamps"
echo "=== Install latest stable CLI ==="
curl -sSL --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
cilium version
echo "=== Retrieve cluster state ==="
kubectl get pods --all-namespaces -o wide
kubectl get cew --all-namespaces -o wide
Expand Down

0 comments on commit 2e7f6ab

Please sign in to comment.