From ce1f5fecd0e3db5c3fa4df3e4d853df17fa9da2b Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tobias@cilium.io>
Date: Tue, 17 May 2022 14:16:25 +0200
Subject: [PATCH 1/2] ci: make external workload only use global DNS server in
 test

Follow https://github.com/cilium/cilium/pull/19483

Only use the first configured DNS server (the global one) in the
test. Also add nslookup debug and retry options in case they are needed
for further debugging and troubleshooting.

This fixes external workload CI test on master that failed like this:

Server:		169.254.169.254
Address:	169.254.169.254#53

** server can't find clustermesh-apiserver.kube-system.svc.cluster.local: NXDOMAIN

Here an incorrect nameserver is being used by nslookup. This
169.254.169.254 is configured (now) in GKE as a nameserver for some
local names. Don't know why nslookup sometimes chooses it if no server
address is given as a parameter.

Co-authored-by: Jarno Rajahalme <jarno@isovalent.com>
Signed-off-by: Tobias Klauser <tobias@cilium.io>
---
 .github/workflows/externalworkloads.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/externalworkloads.yaml b/.github/workflows/externalworkloads.yaml
index 9a29955dde..e47014ac8a 100644
--- a/.github/workflows/externalworkloads.yaml
+++ b/.github/workflows/externalworkloads.yaml
@@ -177,7 +177,7 @@ jobs:
       - name: Verify cluster DNS on VM
         run: |
           gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} \
-            --command "nslookup -norecurse clustermesh-apiserver.kube-system.svc.cluster.local"
+            --command "nslookup -d2 -retry=10 -timeout=5 -norecurse clustermesh-apiserver.kube-system.svc.cluster.local \$(systemd-resolve --status | grep -m 1 \"Current DNS Server:\" | cut -d':' -f2)"
 
       - name: Ping clustermesh-apiserver from VM
         run: |

From b0d1572d0c2a7bab8b852c4e8046a53450e588c2 Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tobias@cilium.io>
Date: Tue, 17 May 2022 14:32:22 +0200
Subject: [PATCH 2/2] ci: run `cilium service list get` with `sudo` in external
 workloads ping test

Anoter follow-up for commit f3cf001b13ab ("clustermesh: Run `cilium`
with sudo in VM install script").

Signed-off-by: Tobias Klauser <tobias@cilium.io>
---
 .github/workflows/externalworkloads.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/externalworkloads.yaml b/.github/workflows/externalworkloads.yaml
index e47014ac8a..eaf3eca915 100644
--- a/.github/workflows/externalworkloads.yaml
+++ b/.github/workflows/externalworkloads.yaml
@@ -182,7 +182,7 @@ jobs:
       - name: Ping clustermesh-apiserver from VM
         run: |
           gcloud compute ssh ${{ env.vmName }} --zone ${{ env.zone }} \
-            --command "ping -c 3 \$(cilium service list get -o jsonpath='{[?(@.spec.flags.name==\"clustermesh-apiserver\")].spec.backend-addresses[0].ip}')"
+            --command "ping -c 3 \$(sudo cilium service list get -o jsonpath='{[?(@.spec.flags.name==\"clustermesh-apiserver\")].spec.backend-addresses[0].ip}')"
 
       - name: Load cilium test script in configmap
         run: |