From 930df78d8a90960751cdffb5b3904af963806afd Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Thu, 12 Dec 2024 14:18:04 +0100 Subject: [PATCH 1/2] CI: Use deployment instead of Pod for agnhost This is a followup to 2ba28a338 (Revert "Wait for available API token in a new namespace (#7045)", 2024-10-25). While checking for the serviceaccount token is not effective, there is still a race when creating a Pod directly, because the ServiceAccount itself might not be created yet. More details at https://github.com/kubernetes/kubernetes/issues/66689. This cause very frequent flakes in our CI with spurious failures. Use a Deployment instead ; it will takes cares of creating the Pods and retrying ; it also let us use kubectl rollout status instead of manually checking for the pods. --- tests/testcases/030_check-network.yml | 72 ++++++++++++--------------- 1 file changed, 33 insertions(+), 39 deletions(-) diff --git a/tests/testcases/030_check-network.yml b/tests/testcases/030_check-network.yml index aa4595898fa..b5942b116eb 100644 --- a/tests/testcases/030_check-network.yml +++ b/tests/testcases/030_check-network.yml @@ -79,53 +79,47 @@ command: cmd: "{{ bin_dir }}/kubectl apply -f -" stdin: | - apiVersion: v1 - kind: Pod + apiVersion: apps/v1 + kind: Deployment metadata: - name: {{ item }} - namespace: test + name: agnhost spec: - containers: - - name: agnhost - image: {{ test_image_repo }}:{{ test_image_tag }} - command: ['/agnhost', 'netexec', '--http-port=8080'] - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ['ALL'] - runAsUser: 1000 - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + replicas: 2 + selector: + matchLabels: + app: agnhost + template: + metadata: + labels: + app: agnhost + spec: + containers: + - name: agnhost + image: {{ test_image_repo }}:{{ test_image_tag }} + command: ['/agnhost', 'netexec', '--http-port=8080'] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ['ALL'] + runAsUser: 1000 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault changed_when: false - loop: - - agnhost1 - - agnhost2 - import_role: # noqa name[missing] name: cluster-dump - name: Check that all pods are running and ready - command: "{{ bin_dir }}/kubectl get pods --namespace test --no-headers -o yaml" - changed_when: false - register: run_pods_log - until: - # Check that all pods are running - - '(run_pods_log.stdout | from_yaml)["items"] | map(attribute = "status.phase") | unique | list == ["Running"]' - # Check that all pods are ready - - '(run_pods_log.stdout | from_yaml)["items"] | map(attribute = "status.containerStatuses") | map("map", attribute = "ready") | map("min") | min' - retries: 18 - delay: 10 - failed_when: false - - - name: Get pod names - command: "{{ bin_dir }}/kubectl get pods -n test -o json" - changed_when: false - register: pods - - - debug: # noqa name[missing] - msg: "{{ pods.stdout.split('\n') }}" - failed_when: not run_pods_log is success + block: + - name: Check Deployment is ready + command: "{{ bin_dir }}/kubectl rollout status deploy --namespace test agnhost --timeout=180" + changed_when: false + rescue: + - name: Get pod names + command: "{{ bin_dir }}/kubectl get pods -n test -o json" + changed_when: false + register: pods - name: Get hostnet pods command: "{{ bin_dir }}/kubectl get pods -n test -o From 12ed1fcf933fa09a4802debf9983693cfedce490 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Thu, 12 Dec 2024 15:33:54 +0100 Subject: [PATCH 2/2] CI-tests: remove hostnets stuff from 030_check-network There is no pods with hostNetwork deployed in this test, and therefore the tasks are skipped / empty output (checked in CI). --- tests/testcases/030_check-network.yml | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/tests/testcases/030_check-network.yml b/tests/testcases/030_check-network.yml index b5942b116eb..8c5b8ec4f80 100644 --- a/tests/testcases/030_check-network.yml +++ b/tests/testcases/030_check-network.yml @@ -121,13 +121,6 @@ changed_when: false register: pods - - name: Get hostnet pods - command: "{{ bin_dir }}/kubectl get pods -n test -o - jsonpath='{range .items[?(.spec.hostNetwork)]}{.metadata.name} {.status.podIP} {.status.containerStatuses} {end}'" - changed_when: false - register: hostnet_pods - ignore_errors: true # noqa ignore-errors - - name: Get running pods command: "{{ bin_dir }}/kubectl get pods -n test -o jsonpath='{range .items[?(.status.phase==\"Running\")]}{.metadata.name} {.status.podIP} {.status.containerStatuses} {end}'" @@ -147,9 +140,6 @@ kube_pods_subnet: 10.233.64.0/18 pod_names: "{{ (pods.stdout | from_json)['items'] | map(attribute='metadata.name') | list }}" pod_ips: "{{ (pods.stdout | from_json)['items'] | selectattr('status.podIP', 'defined') | map(attribute='status.podIP') | list }}" - pods_hostnet: | - {% set list = hostnet_pods.stdout.split(" ") %} - {{ list }} pods_running: | {% set list = running_pods.stdout.split(" ") %} {{ list }} @@ -158,24 +148,11 @@ assert: that: item | ansible.utils.ipaddr(kube_pods_subnet) when: - - not item in pods_hostnet - item in pods_running with_items: "{{ pod_ips }}" - name: Curl between pods is working command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- curl {{ item[1] }}:8080" - when: - - not item[0] in pods_hostnet - - not item[1] in pods_hostnet - with_nested: - - "{{ pod_names }}" - - "{{ pod_ips }}" - - - name: Curl between hostnet pods is working - command: "{{ bin_dir }}/kubectl -n test exec {{ item[0] }} -- curl {{ item[1] }}:8080" - when: - - item[0] in pods_hostnet - - item[1] in pods_hostnet with_nested: - "{{ pod_names }}" - "{{ pod_ips }}"