policy: Do not store policy reference in Cilium socket option #2086
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Cilium Integration Tests | |
on: | |
push: | |
branches: | |
- main | |
pull_request_target: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
branches: | |
- main | |
# By specifying the access of one of the scopes, all of those that are not specified are set to 'none'. | |
permissions: | |
# To be able to access the repository with actions/checkout | |
contents: read | |
# To allow writing PR comments and setting emojis | |
pull-requests: write | |
env: | |
KIND_VERSION: v0.18.0 | |
CILIUM_REPO_OWNER: cilium | |
CILIUM_REPO_REF: main | |
CILIUM_CLI_REF: latest | |
jobs: | |
cilium-connectivity-tests: | |
timeout-minutes: 360 | |
name: Cilium Connectivity Tests | |
if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Prepare variables for pushes to main | |
if: github.event_name == 'push' | |
run: | | |
echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy" >> $GITHUB_ENV | |
echo "PROXY_TAG=${{ github.sha }}" >> $GITHUB_ENV | |
echo "PROXY_GITHUB_REPO=github.com/cilium/proxy" >> $GITHUB_ENV | |
- name: Prepare variables for PR | |
if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' | |
run: | | |
echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy-dev" >> $GITHUB_ENV | |
echo "PROXY_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV | |
echo "PROXY_GITHUB_REPO=github.com/${{github.event.pull_request.head.repo.full_name}}" >> $GITHUB_ENV | |
- name: Checkout Cilium ${{ env.CILIUM_REPO_REF }} | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
repository: ${{ env.CILIUM_REPO_OWNER }}/cilium # Be aware that this is the Cilium repository and not the one of the proxy itself! | |
ref: ${{ env.CILIUM_REPO_REF }} | |
persist-credentials: false | |
- name: Extracting Cilium version | |
run: | | |
echo "CILIUM_IMAGE_TAG=v$(cat ./VERSION)" >> $GITHUB_ENV | |
- name: Install Cilium CLI ${{ env.CILIUM_CLI_REF }} | |
run: | | |
versionPattern="^v[0-9]+\.[0-9]+\.[0-9]+$" | |
if [[ ${{ env.CILIUM_CLI_REF }} =~ $versionPattern ]]; then | |
curl -sSL --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${{ env.CILIUM_CLI_REF }}/cilium-linux-amd64.tar.gz{,.sha256sum} | |
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum | |
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin | |
rm cilium-linux-amd64.tar.gz{,.sha256sum} | |
else | |
cid=$(docker create quay.io/cilium/cilium-cli-ci:${{ env.CILIUM_CLI_REF }} ls) | |
sudo docker cp $cid:/usr/local/bin/cilium /usr/local/bin | |
docker rm $cid | |
fi | |
cilium version | |
- name: Create kind cluster | |
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
with: | |
version: ${{ env.KIND_VERSION }} | |
config: '.github/kind-config.yaml' | |
cluster_name: 'kind' | |
- name: Patch Cilium Agent Dockerfile | |
shell: bash | |
run: | | |
sed -i -E 's|(ARG CILIUM_ENVOY_IMAGE=)(quay\.io\/cilium\/cilium-envoy:)(.*)(@sha256:[0-9a-z]*)|\1${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }}|' ./images/cilium/Dockerfile | |
cat ./images/cilium/Dockerfile | |
if git diff --exit-code ./images/cilium/Dockerfile; then | |
echo "Dockerfile not modified" | |
exit 1 | |
fi | |
- name: Install Go | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
# renovate: datasource=golang-version depName=go | |
go-version: 1.23.3 | |
- name: Redirect proxy module | |
shell: bash | |
if: env.PROXY_GITHUB_REPO != 'github.com/cilium/proxy' | |
run: echo "replace github.com/cilium/proxy => ${{ env.PROXY_GITHUB_REPO }} ${{ env.PROXY_TAG }}" >> go.mod | |
- name: Update proxy module | |
shell: bash | |
if: env.PROXY_GITHUB_REPO == 'github.com/cilium/proxy' | |
run: go get ${{ env.PROXY_GITHUB_REPO }}@${{ env.PROXY_TAG }} | |
- name: Vendor proxy module | |
shell: bash | |
run: | | |
go mod tidy && \ | |
go mod verify && \ | |
go mod vendor | |
- name: Wait for Cilium Proxy image to be available | |
timeout-minutes: 45 | |
shell: bash | |
run: until docker manifest inspect ${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }} &> /dev/null; do sleep 15s; done | |
- name: Build Cilium Agent & Operator with patched Cilium Proxy Image | |
shell: bash | |
run: DOCKER_IMAGE_TAG=${{ env.CILIUM_IMAGE_TAG }} make docker-cilium-image docker-operator-generic-image | |
- name: Load Cilium Images into kind | |
shell: bash | |
run: | | |
kind load docker-image \ | |
--name kind \ | |
quay.io/cilium/operator-generic:${{ env.CILIUM_IMAGE_TAG }} \ | |
quay.io/cilium/cilium:${{ env.CILIUM_IMAGE_TAG }} | |
- name: Install Cilium | |
timeout-minutes: 10 | |
shell: bash | |
run: | | |
cilium install \ | |
--chart-directory install/kubernetes/cilium \ | |
--helm-set bpf.monitorAggregation=none \ | |
--helm-set loadBalancer.l7.backend=envoy \ | |
--helm-set tls.secretsBackend=k8s \ | |
--helm-set image.repository=quay.io/cilium/cilium \ | |
--helm-set image.tag=${{ env.CILIUM_IMAGE_TAG }} \ | |
--helm-set image.useDigest=false \ | |
--helm-set image.pullPolicy=Never \ | |
--helm-set operator.image.repository=quay.io/cilium/operator \ | |
--helm-set operator.image.suffix= \ | |
--helm-set operator.image.tag=${{ env.CILIUM_IMAGE_TAG }} \ | |
--helm-set operator.image.useDigest=false \ | |
--helm-set operator.image.pullPolicy=Never \ | |
--helm-set debug.enabled=true \ | |
--helm-set debug.verbose=envoy | |
cilium hubble enable | |
cilium status --wait | |
cilium hubble port-forward& | |
- name: Execute Cilium L7 Connectivity Tests | |
shell: bash | |
run: cilium connectivity test --test=l7 | |
- name: Gather Cilium system dump | |
if: failure() | |
shell: bash | |
run: cilium sysdump --output-filename cilium-integration-test-sysdump | |
- name: Upload Cilium system dump | |
if: failure() | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: cilium-integration-test-sysdump | |
path: cilium-integration-test-sysdump.zip | |
retention-days: 5 |