Skip to content

Conformance IPsec E2E (ci-ipsec-e2e) #3026

Conformance IPsec E2E (ci-ipsec-e2e)

Conformance IPsec E2E (ci-ipsec-e2e) #3026

name: Conformance IPsec E2E (ci-ipsec-e2e)
# Any change in triggers needs to be reflected in the concurrency group.
on:
workflow_dispatch:
inputs:
PR-number:
description: "Pull request number."
required: true
context-ref:
description: "Context in which the workflow runs. If PR is from a fork, will be the PR target branch (general case). If PR is NOT from a fork, will be the PR branch itself (this allows committers to test changes to workflows directly from PRs)."
required: true
SHA:
description: "SHA under test (head of the PR branch)."
required: true
extra-args:
description: "[JSON object] Arbitrary arguments passed from the trigger comment via regex capture group. Parse with 'fromJson(inputs.extra-args).argName' in workflow."
required: false
default: '{}'
push:
branches:
- 'renovate/main-**'
# Run every 6 hours
schedule:
- cron: '0 5/6 * * *'
# By specifying the access of one of the scopes, all of those that are not
# specified are set to 'none'.
permissions:
# To read actions state with catchpoint/workflow-telemetry-action
actions: read
# To be able to access the repository with actions/checkout
contents: read
# To allow retrieving information from the PR API
pull-requests: read
# To be able to set commit status
statuses: write
concurrency:
# Structure:
# - Workflow name
# - Event type
# - A unique identifier depending on event type:
# - schedule: SHA
# - workflow_dispatch: PR number
#
# This structure ensures a unique concurrency group name is generated for each
# type of testing, such that re-runs will cancel the previous run.
group: |
${{ github.workflow }}
${{ github.event_name }}
${{
(github.event_name == 'push' && github.sha) ||
(github.event_name == 'schedule' && github.sha) ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.PR-number)
}}
cancel-in-progress: true
env:
cilium_cli_ci_version:
jobs:
echo-inputs:
if: ${{ github.event_name == 'workflow_dispatch' }}
name: Echo Workflow Dispatch Inputs
runs-on: ubuntu-22.04
steps:
- name: Echo Workflow Dispatch Inputs
run: |
echo '${{ tojson(inputs) }}'
commit-status-start:
name: Commit Status Start
runs-on: ubuntu-latest
steps:
- name: Set initial commit status
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1
with:
sha: ${{ inputs.SHA || github.sha }}
setup-and-test:
name: 'Setup & Test'
runs-on: ${{ vars.GH_RUNNER_EXTRA_POWER }}
env:
job_name: 'Setup & Test'
strategy:
fail-fast: false
max-parallel: 16
matrix:
include:
# See https://github.com/cilium/cilium/issues/20606 for configuration table
- name: '1'
# renovate: datasource=docker depName=quay.io/lvh-images/kind
kernel: 'rhel8-20240404.144247'
kube-proxy: 'iptables'
kpr: 'false'
tunnel: 'vxlan'
encryption: 'ipsec'
encryption-node: 'false'
key-one: 'gcm(aes)'
key-two: 'cbc(aes)'
key-type-one: '+'
key-type-two: '+'
- name: '2'
# renovate: datasource=docker depName=quay.io/lvh-images/kind
kernel: '5.4-20240710.064909'
kube-proxy: 'iptables'
kpr: 'false'
tunnel: 'disabled'
encryption: 'ipsec'
encryption-node: 'false'
key-one: 'cbc(aes)'
key-two: 'cbc(aes)'
key-type-one: '+'
key-type-two: ''
- name: '3'
# renovate: datasource=docker depName=quay.io/lvh-images/kind
kernel: '5.10-20240710.064909'
kube-proxy: 'iptables'
kpr: 'false'
tunnel: 'disabled'
encryption: 'ipsec'
encryption-node: 'false'
endpoint-routes: 'true'
key-one: 'gcm(aes)'
key-two: 'gcm(aes)'
key-type-one: ''
key-type-two: '+'
- name: '4'
# renovate: datasource=docker depName=quay.io/lvh-images/kind
kernel: 'bpf-next-20240711.013133'
kube-proxy: 'iptables'
kpr: 'false'
tunnel: 'geneve'
encryption: 'ipsec'
encryption-node: 'false'
endpoint-routes: 'true'
key-one: 'cbc(aes)'
key-two: 'gcm(aes)'
key-type-one: ''
key-type-two: ''
- name: '5'
# renovate: datasource=docker depName=quay.io/lvh-images/kind
kernel: '5.4-20240710.064909'
kube-proxy: 'none'
kpr: 'true'
tunnel: 'disabled'
encryption: 'ipsec'
encryption-node: 'false'
key-one: 'cbc(aes)'
key-two: 'cbc(aes)'
key-type-one: '+'
key-type-two: '+'
- name: '6'
# renovate: datasource=docker depName=quay.io/lvh-images/kind
kernel: '5.10-20240710.064909'
kube-proxy: 'none'
kpr: 'true'
tunnel: 'disabled'
encryption: 'ipsec'
encryption-node: 'false'
endpoint-routes: 'true'
key-one: 'gcm(aes)'
key-two: 'gcm(aes)'
key-type-one: '+'
key-type-two: '+'
- name: '7'
# renovate: datasource=docker depName=quay.io/lvh-images/kind
kernel: '5.15-20240710.064909'
kube-proxy: 'iptables'
kpr: 'false'
tunnel: 'vxlan'
encryption: 'ipsec'
encryption-node: 'false'
encryption-overlay: 'true'
key-one: 'gcm(aes)'
key-two: 'gcm(aes)'
key-type-one: '+'
key-type-two: '+'
- name: '8'
# renovate: datasource=docker depName=quay.io/lvh-images/kind
kernel: 'bpf-next-20240711.013133'
kube-proxy: 'none'
kpr: 'true'
tunnel: 'vxlan'
encryption: 'ipsec'
encryption-node: 'false'
key-one: 'gcm(aes)'
key-two: 'gcm(aes)'
key-type-one: '+'
key-type-two: '+'
timeout-minutes: 75
steps:
- name: Collect Workflow Telemetry
uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0
with:
comment_on_pr: false
- name: Checkout context ref (trusted)
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ inputs.context-ref || github.sha }}
persist-credentials: false
- name: Set Environment Variables
uses: ./.github/actions/set-env-variables
- name: Set up job variables
id: vars
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
SHA="${{ inputs.SHA }}"
else
SHA="${{ github.sha }}"
fi
echo sha=${SHA} >> $GITHUB_OUTPUT
- name: Derive Cilium installation config and junit type
id: cilium-config
uses: ./.github/actions/cilium-config
with:
image-tag: ${{ steps.vars.outputs.sha }}
chart-dir: './untrusted/install/kubernetes/cilium'
tunnel: ${{ matrix.tunnel }}
devices: ${{ matrix.devices }}
endpoint-routes: ${{ matrix.endpoint-routes }}
ipv6: ${{ matrix.ipv6 }}
kpr: ${{ matrix.kpr }}
lb-mode: ${{ matrix.lb-mode }}
lb-acceleration: ${{ matrix.lb-acceleration }}
encryption: ${{ matrix.encryption }}
encryption-node: ${{ matrix.encryption-node }}
encryption-overlay: ${{ matrix.encryption-overlay }}
egress-gateway: ${{ matrix.egress-gateway }}
host-fw: ${{ matrix.host-fw }}
ingress-controller: ${{ matrix.ingress-controller }}
misc: ${{ matrix.misc }}
- name: Set Kind params
id: kind-params
shell: bash
run: |
IP_FAM="dual"
if [ "${{ matrix.ipv6 }}" == "false" ]; then
IP_FAM="ipv4"
fi
echo params="--xdp --secondary-network \"\" 3 \"\" \"\" ${{ matrix.kube-proxy }} $IP_FAM" >> $GITHUB_OUTPUT
- name: Provision K8s on LVH VM
uses: ./.github/actions/lvh-kind
with:
test-name: e2e-conformance
kernel: ${{ matrix.kernel }}
kind-params: "${{ steps.kind-params.outputs.params }}"
kind-image: ${{ env.KIND_K8S_IMAGE }}
- name: Install Cilium CLI
uses: cilium/cilium-cli@e386af2b9f500e4c40436ac660cd6602da104fc7 # v0.16.14
with:
skip-build: ${{ env.CILIUM_CLI_SKIP_BUILD }}
image-repo: ${{ env.CILIUM_CLI_IMAGE_REPO }}
image-tag: ${{ env.CILIUM_CLI_VERSION }}
# Warning: since this is a privileged workflow, subsequent workflow job
# steps must take care not to execute untrusted code.
- name: Checkout pull request branch (NOT TRUSTED)
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ steps.vars.outputs.sha }}
persist-credentials: false
path: untrusted
sparse-checkout: |
install/kubernetes/cilium
- name: Wait for images to be available
timeout-minutes: 30
shell: bash
run: |
for image in cilium-ci operator-generic-ci hubble-relay-ci ; do
until docker manifest inspect quay.io/${{ env.QUAY_ORGANIZATION_DEV }}/$image:${{ steps.vars.outputs.sha }} &> /dev/null; do sleep 45s; done
done
- name: Install Cilium
shell: bash
run: |
kubectl patch node kind-worker3 --type=json -p='[{"op":"add","path":"/metadata/labels/cilium.io~1no-schedule","value":"true"}]'
if [[ "${{ matrix.key-one }}" == "gcm(aes)" ]]; then
key="rfc4106(gcm(aes)) $(dd if=/dev/urandom count=20 bs=1 2> /dev/null | xxd -p -c 64) 128"
elif [[ "${{ matrix.key-one }}" == "cbc(aes)" ]]; then
key="hmac(sha256) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64) cbc(aes) $(dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64)"
else
echo "Invalid key type"; exit 1
fi
kubectl create -n kube-system secret generic cilium-ipsec-keys \
--from-literal=keys="3${{ matrix.key-type-one }} ${key}"
cilium install ${{ steps.cilium-config.outputs.config }}
kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-server --timeout=300s
kubectl -n cilium-spire wait --for=condition=Ready pod -l app=spire-agent --timeout=300s
cilium status --wait
kubectl get pods --all-namespaces -o wide
kubectl -n kube-system exec daemonset/cilium -c cilium-agent -- cilium-dbg status
- name: Prepare the bpftrace parameters
id: bpftrace-params
run: |
CILIUM_INTERNAL_IPS=$(kubectl get ciliumnode -o jsonpath='{.items[*].spec.addresses[?(@.type=="CiliumInternalIP")].ip}')
if [[ "${{ matrix.ipv6 }}" == "false" ]]; then
CILIUM_INTERNAL_IPS="${CILIUM_INTERNAL_IPS// / ::1 } ::1"
fi
echo "params=$CILIUM_INTERNAL_IPS" >> $GITHUB_OUTPUT
- name: Start unencrypted packets check
uses: ./.github/actions/bpftrace/start
with:
script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt
args: ${{ steps.bpftrace-params.outputs.params }} "true"
- name: Run tests (${{ join(matrix.*, ', ') }})
shell: bash
run: |
mkdir -p cilium-junits
cilium connectivity test --include-unsafe-tests --collect-sysdump-on-failure \
--sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \
--sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-<ts>" \
--junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \
--junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \
--flush-ct
- name: Assert that no unencrypted packets are leaked
uses: ./.github/actions/bpftrace/check
- name: Start unencrypted packets check for key rotation
uses: ./.github/actions/bpftrace/start
with:
script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt
# As we are not testing with proxy connections during key rotation,
# disable the check for proxy traffic.
args: ${{ steps.bpftrace-params.outputs.params }} "false"
- name: Setup conn-disrupt-test before rotating (${{ join(matrix.*, ', ') }})
uses: ./.github/actions/conn-disrupt-test-setup
- name: Rotate IPsec Key (${{ join(matrix.*, ', ') }})
uses: ./.github/actions/ipsec-key-rotate
with:
key-algo: ${{ matrix.key-two }}
key-type-one: ${{ matrix.key-type-one }}
key-type-two: ${{ matrix.key-type-two }}
encryption-overlay: ${{ matrix.encryption-overlay }}
- name: Assert that no unencrypted packets are leaked during key rotation
uses: ./.github/actions/bpftrace/check
- name: Check conn-disrupt-test after rotating (${{ join(matrix.*, ', ') }})
uses: ./.github/actions/conn-disrupt-test-check
- name: Start unencrypted packets check for tests
uses: ./.github/actions/bpftrace/start
with:
script: ./.github/actions/bpftrace/scripts/check-ipsec-leaks.bt
args: ${{ steps.bpftrace-params.outputs.params }} "true"
- name: Run tests (${{ join(matrix.*, ', ') }})
shell: bash
run: |
mkdir -p cilium-junits
TEST=""
if [ "${{ matrix.key-one }}" = "gcm(aes)" ] && [ "${{ matrix.key-two }}" = "cbc(aes)" ]; then
# Until https://github.com/cilium/cilium/issues/29480 is resolved
TEST='--test "!pod-to-pod-no-frag"'
fi
cilium connectivity test --include-unsafe-tests --collect-sysdump-on-failure \
--sysdump-hubble-flows-count=1000000 --sysdump-hubble-flows-timeout=5m \
--sysdump-output-filename "cilium-sysdump-${{ matrix.name }}-<ts>" \
--junit-file "cilium-junits/${{ env.job_name }} (${{ join(matrix.*, ', ') }}).xml" \
--junit-property github_job_step="Run tests (${{ join(matrix.*, ', ') }})" \
--flush-ct $TEST
- name: Assert that no unencrypted packets are leaked during tests
uses: ./.github/actions/bpftrace/check
- name: Fetch artifacts
if: ${{ !success() }}
shell: bash
run: |
kubectl get pods --all-namespaces -o wide
cilium status
mkdir -p cilium-sysdumps
cilium sysdump --output-filename cilium-sysdump-${{ matrix.name }}-final
- name: Upload artifacts
if: ${{ !success() }}
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: cilium-sysdumps-${{ matrix.name }}
path: cilium-sysdump-*.zip
- name: Upload JUnits [junit]
if: ${{ always() }}
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: cilium-junits-${{ matrix.name }}
path: cilium-junits/*.xml
- name: Publish Test Results As GitHub Summary
if: ${{ always() }}
uses: aanm/junit2md@332ebf0fddd34e91b03a832cfafaa826306558f9 # v0.0.3
with:
junit-directory: "cilium-junits"
merge-upload:
if: ${{ always() }}
name: Merge and Upload Artifacts
runs-on: ubuntu-latest
needs: setup-and-test
steps:
- name: Merge Sysdumps
if: ${{ needs.setup-and-test.result == 'failure' }}
uses: actions/upload-artifact/merge@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: cilium-sysdumps
pattern: cilium-sysdumps-*
retention-days: 5
delete-merged: true
continue-on-error: true
- name: Merge JUnits
uses: actions/upload-artifact/merge@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: cilium-junits
pattern: cilium-junits-*
retention-days: 5
delete-merged: true
commit-status-final:
if: ${{ always() }}
name: Commit Status Final
needs: setup-and-test
runs-on: ubuntu-latest
steps:
- name: Set final commit status
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1
with:
sha: ${{ inputs.SHA || github.sha }}
status: ${{ needs.setup-and-test.result }}