Enable Helm mode matrix for multicluster tests

Enables a matrix for "classic" and "helm" mode for multicluster tests using GKE. The recently added parameter for "cilium_cli_mode" in the cilium-cli-test-job-chart is used. Signed-off-by: Andrew Sauber <[email protected]>
cilium · Apr 27, 2023 · 41d8616 · 41d8616
1 parent 8d21901
commit 41d8616
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 6 deletions.
diff --git a/.github/in-cluster-test-scripts/multicluster.sh b/.github/in-cluster-test-scripts/multicluster.sh
@@ -19,6 +19,13 @@ cilium install \
   --helm-set bpf.monitorAggregation=none \
   --helm-set ipv4NativeRoutingCIDR=10.0.0.0/9
 
+# Copy the CA cert from cluster1 to cluster2
+kubectl --context ${CONTEXT1} get secrets -n kube-system cilium-ca -oyaml \
+  | kubectl --context ${CONTEXT2} apply -f -
+
+# This seeds all CAs in cluster2 due to logic in the helm chart found here, e.g. for Hubble
+# https://github.com/cilium/cilium/blob/8b6aa6eda91927275ae722ac020deeb5a9ce479d/install/kubernetes/cilium/templates/hubble/tls-helm/_helpers.tpl#L24-L33
+
 # Install Cilium in cluster2
 cilium install \
   --version "${CILIUM_VERSION}" \
@@ -28,8 +35,7 @@ cilium install \
   --cluster-name "${CLUSTER_NAME_2}" \
   --helm-set cluster.id=2 \
   --helm-set bpf.monitorAggregation=none \
-  --helm-set ipv4NativeRoutingCIDR=10.0.0.0/9 \
-  --inherit-ca "${CONTEXT1}"
+  --helm-set ipv4NativeRoutingCIDR=10.0.0.0/9
 
 # Enable Relay
 cilium --context "${CONTEXT1}" hubble enable
@@ -44,6 +50,20 @@ cilium --context "${CONTEXT2}" status --wait
 cilium --context "${CONTEXT1}" clustermesh enable
 cilium --context "${CONTEXT2}" clustermesh enable
 
+# Copy the clustermesh secrets
+# TODO(ajs): Patch the connect command to expect the Helm secret name
+echo "CILIUM_CLI_MODE: $CILIUM_CLI_MODE"
+if [ "$CILIUM_CLI_MODE" == "helm" ]; then
+  kubectl get secrets --context ${CONTEXT1} \
+    -n kube-system clustermesh-apiserver-remote-cert -oyaml \
+    | sed 's/name: .*/name: clustermesh-apiserver-client-cert/' \
+    | kubectl apply --context ${CONTEXT1} -f -
+  kubectl get secrets --context ${CONTEXT2} \
+    -n kube-system clustermesh-apiserver-remote-cert -oyaml \
+    | sed 's/name: .*/name: clustermesh-apiserver-client-cert/' \
+    | kubectl apply --context ${CONTEXT2} -f -
+fi
+
 # Wait for cluster mesh status to be ready
 cilium --context "${CONTEXT1}" clustermesh status --wait
 cilium --context "${CONTEXT2}" clustermesh status --wait

diff --git a/.github/workflows/multicluster.yaml b/.github/workflows/multicluster.yaml
@@ -26,11 +26,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  clusterName1: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-mesh-1
-  clusterName2: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-mesh-2
-  clusterNameBase: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-mesh
   zone: us-west2-a
-  firewallRuleName: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-rule
   cilium_version: v1.13.2
   kubectl_version: v1.23.6
   USE_GKE_GCLOUD_AUTH_PLUGIN: True
@@ -40,10 +36,22 @@ jobs:
     if: ${{ github.repository == 'cilium/cilium-cli' }}
     runs-on: ubuntu-22.04
     timeout-minutes: 45
+    strategy:
+      fail-fast: false
+      matrix:
+        mode: ["classic", "helm"]
     steps:
       - name: Checkout
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
 
+      # Note: These names currently approach the limit of 40 characters
+      - name: Set mode-specific names
+        run: |
+          echo "clusterNameBase=${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.mode }}" >> $GITHUB_ENV
+          echo "clusterName1=${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.mode }}-1" >> $GITHUB_ENV
+          echo "clusterName2=${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.mode }}-2" >> $GITHUB_ENV
+          echo "firewallRuleName=${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }}-${{ matrix.mode}}" >> $GITHUB_ENV
+
       - name: Install kubectl
         run: |
           curl -sLO "https://dl.k8s.io/release/${{ env.kubectl_version }}/bin/linux/amd64/kubectl"
@@ -168,6 +176,7 @@ jobs:
             --set test_script_cm=cilium-cli-test-script \
             --set cluster_name_1=${{ env.clusterName1 }} \
             --set cluster_name_2=${{ env.clusterName2 }} \
+            --set cilium_cli_mode=${{ matrix.mode }}
 
       - name: Wait for test job
         env: