github.com/cilium/cilium@v1.16.2/test/kubernetes-test.sh

github.com/cilium/cilium@v1.16.2/test/kubernetes-test.sh (about)

     1  #!/usr/bin/env bash
     2  
     3  # Comment for the '--set identityChangeGracePeriod="0s"'
     4  # We need to change the identity as quickly as possible as there
     5  # is a k8s upstream test that relies on the policy to be enforced
     6  # once a new label is added to a pod. If we delay the identity change
     7  # process the test will fail.
     8  
     9  # We generate the helm chart template validating it against the associated Kubernetes
    10  # Cluster.
    11  helm template --validate install/kubernetes/cilium \
    12    --namespace=kube-system \
    13    --set image.tag=$2 \
    14    --set image.repository=$1/cilium-ci \
    15    --set image.useDigest=false \
    16    --set operator.image.repository=$1/operator \
    17    --set operator.image.tag=$2 \
    18    --set operator.image.suffix=-ci \
    19    --set operator.image.useDigest=false \
    20    --set debug.enabled=true \
    21    --set k8s.requireIPv4PodCIDR=true \
    22    --set pprof.enabled=true \
    23    --set logSystemLoad=true \
    24    --set bpf.preallocateMaps=true \
    25    --set etcd.leaseTTL=30s \
    26    --set ipv4.enabled=true \
    27    --set ipv6.enabled=true \
    28    --set identityChangeGracePeriod="0s" \
    29    --set cni.chainingMode=portmap \
    30    --set sessionAffinity=true \
    31    > cilium.yaml
    32  
    33  kubectl apply -f cilium.yaml
    34  
    35  runningPods="0"
    36  
    37  pollCiliumPods () {
    38    until [ "${runningPods}" == "2" ]; do
    39      runningPods=$(kubectl -n kube-system get pods -l k8s-app=cilium | grep "Running" -c)
    40      echo "Running Pods ${runningPods}"
    41      sleep 1
    42    done
    43    echo "result match, continue with kubernetes"
    44  }
    45  
    46  export -f pollCiliumPods
    47  timeout ${POLL_TIMEOUT_SECONDS} bash -c pollCiliumPods
    48  unset pollCiliumPods
    49  
    50  set -e
    51  
    52  echo "Installing kubetest manually"
    53  
    54  mkdir -p ${HOME}/go/src/k8s.io
    55  cd ${HOME}/go/src/k8s.io
    56  test -d test-infra && rm -rfv test-infra
    57  # Last commit before vendor directory was removed
    58  # why? see https://github.com/kubernetes/test-infra/issues/14165#issuecomment-528620301
    59  git clone https://github.com/kubernetes/test-infra.git
    60  cd test-infra
    61  git reset --hard dbc2ac103595c2348322d1bac7e4743b96fca225
    62  GO111MODULE=off go install k8s.io/test-infra/kubetest
    63  
    64  echo "Installing kubernetes"
    65  KUBERNETES_VERSION=$(kubectl version -o json | jq -r '.serverVersion | .gitVersion')
    66  
    67  mkdir -p ${HOME}/go/src/k8s.io/
    68  cd ${HOME}/go/src/k8s.io/
    69  test -d kubernetes && rm -rfv kubernetes
    70  git clone https://github.com/kubernetes/kubernetes.git -b ${KUBERNETES_VERSION} --depth 1
    71  cd kubernetes
    72  
    73  # renovate: datasource=golang-version depName=go
    74  GO_VERSION="1.22.4"
    75  sudo rm -fr /usr/local/go
    76  curl -LO https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz
    77  sudo tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz
    78  GO111MODULE=off make ginkgo
    79  GO111MODULE=off make WHAT='test/e2e/e2e.test'
    80  
    81  export KUBECTL_PATH=/usr/bin/kubectl
    82  export KUBE_MASTER=192.168.56.11
    83  export KUBE_MASTER_IP=192.168.56.11
    84  export KUBE_MASTER_URL="https://192.168.56.11:6443"
    85  
    86  echo "Running upstream services conformance tests"
    87  # We currently skip the following tests:
    88  # - HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol
    89  #   - https://github.com/cilium/cilium/issues/21060
    90  ${HOME}/go/bin/kubetest --provider=local --test \
    91    --test_args="--ginkgo.focus=HostPort.*\[Conformance\].* --ginkgo.skip=(HostPort.validates.that.there.is.no.conflict.between.pods.with.same.hostPort.but.different.hostIP.and.protocol) --e2e-verify-service-account=false --host ${KUBE_MASTER_URL}"
    92  ${HOME}/go/bin/kubetest --provider=local --test \
    93    --test_args="--ginkgo.focus=Services.*\[Conformance\].* --e2e-verify-service-account=false --host ${KUBE_MASTER_URL}"
    94  
    95  # We currently skip the following tests:
    96  # - NetworkPolicy between server and client using SCTP
    97  #   - Service translation is not yet supported, and the tests rely on Services.
    98  #   - More info at https://github.com/cilium/cilium/issues/5719
    99  # - should allow egress access to server in CIDR block and
   100  # - should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed and
   101  # - should enforce except clause while egress access to server in CIDR block
   102  #   - TL;DR Cilium does not allow to specify pod CIDRs as part of the policy
   103  #     because it conflicts with the pod's security identity.
   104  #   - More info at https://github.com/cilium/cilium/issues/9209
   105  echo "Running upstream NetworkPolicy tests"
   106  ${HOME}/go/bin/kubetest --provider=local --test \
   107    --test_args="--ginkgo.focus=Net.*ol.* --e2e-verify-service-account=false --host ${KUBE_MASTER_URL} --ginkgo.skip=(should.allow.egress.access.to.server.in.CIDR.block)|(should.enforce.except.clause.while.egress.access.to.server.in.CIDR.block)|(should.ensure.an.IP.overlapping.both.IPBlock.CIDR.and.IPBlock.Except.is.allowed)|(Feature:SCTPConnectivity)"