Skip to content

policy: Do not store policy reference in Cilium socket option #2086

policy: Do not store policy reference in Cilium socket option

policy: Do not store policy reference in Cilium socket option #2086

name: Cilium Integration Tests
on:
push:
branches:
- main
pull_request_target:
types:
- opened
- reopened
- synchronize
branches:
- main
# By specifying the access of one of the scopes, all of those that are not specified are set to 'none'.
permissions:
# To be able to access the repository with actions/checkout
contents: read
# To allow writing PR comments and setting emojis
pull-requests: write
env:
KIND_VERSION: v0.18.0
CILIUM_REPO_OWNER: cilium
CILIUM_REPO_REF: main
CILIUM_CLI_REF: latest
jobs:
cilium-connectivity-tests:
timeout-minutes: 360
name: Cilium Connectivity Tests
if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
runs-on: ubuntu-latest
steps:
- name: Prepare variables for pushes to main
if: github.event_name == 'push'
run: |
echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy" >> $GITHUB_ENV
echo "PROXY_TAG=${{ github.sha }}" >> $GITHUB_ENV
echo "PROXY_GITHUB_REPO=github.com/cilium/proxy" >> $GITHUB_ENV
- name: Prepare variables for PR
if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
run: |
echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy-dev" >> $GITHUB_ENV
echo "PROXY_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
echo "PROXY_GITHUB_REPO=github.com/${{github.event.pull_request.head.repo.full_name}}" >> $GITHUB_ENV
- name: Checkout Cilium ${{ env.CILIUM_REPO_REF }}
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: ${{ env.CILIUM_REPO_OWNER }}/cilium # Be aware that this is the Cilium repository and not the one of the proxy itself!
ref: ${{ env.CILIUM_REPO_REF }}
persist-credentials: false
- name: Extracting Cilium version
run: |
echo "CILIUM_IMAGE_TAG=v$(cat ./VERSION)" >> $GITHUB_ENV
- name: Install Cilium CLI ${{ env.CILIUM_CLI_REF }}
run: |
versionPattern="^v[0-9]+\.[0-9]+\.[0-9]+$"
if [[ ${{ env.CILIUM_CLI_REF }} =~ $versionPattern ]]; then
curl -sSL --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${{ env.CILIUM_CLI_REF }}/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
else
cid=$(docker create quay.io/cilium/cilium-cli-ci:${{ env.CILIUM_CLI_REF }} ls)
sudo docker cp $cid:/usr/local/bin/cilium /usr/local/bin
docker rm $cid
fi
cilium version
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
version: ${{ env.KIND_VERSION }}
config: '.github/kind-config.yaml'
cluster_name: 'kind'
- name: Patch Cilium Agent Dockerfile
shell: bash
run: |
sed -i -E 's|(ARG CILIUM_ENVOY_IMAGE=)(quay\.io\/cilium\/cilium-envoy:)(.*)(@sha256:[0-9a-z]*)|\1${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }}|' ./images/cilium/Dockerfile
cat ./images/cilium/Dockerfile
if git diff --exit-code ./images/cilium/Dockerfile; then
echo "Dockerfile not modified"
exit 1
fi
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
# renovate: datasource=golang-version depName=go
go-version: 1.23.3
- name: Redirect proxy module
shell: bash
if: env.PROXY_GITHUB_REPO != 'github.com/cilium/proxy'
run: echo "replace github.com/cilium/proxy => ${{ env.PROXY_GITHUB_REPO }} ${{ env.PROXY_TAG }}" >> go.mod
- name: Update proxy module
shell: bash
if: env.PROXY_GITHUB_REPO == 'github.com/cilium/proxy'
run: go get ${{ env.PROXY_GITHUB_REPO }}@${{ env.PROXY_TAG }}
- name: Vendor proxy module
shell: bash
run: |
go mod tidy && \
go mod verify && \
go mod vendor
- name: Wait for Cilium Proxy image to be available
timeout-minutes: 45
shell: bash
run: until docker manifest inspect ${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }} &> /dev/null; do sleep 15s; done
- name: Build Cilium Agent & Operator with patched Cilium Proxy Image
shell: bash
run: DOCKER_IMAGE_TAG=${{ env.CILIUM_IMAGE_TAG }} make docker-cilium-image docker-operator-generic-image
- name: Load Cilium Images into kind
shell: bash
run: |
kind load docker-image \
--name kind \
quay.io/cilium/operator-generic:${{ env.CILIUM_IMAGE_TAG }} \
quay.io/cilium/cilium:${{ env.CILIUM_IMAGE_TAG }}
- name: Install Cilium
timeout-minutes: 10
shell: bash
run: |
cilium install \
--chart-directory install/kubernetes/cilium \
--helm-set bpf.monitorAggregation=none \
--helm-set loadBalancer.l7.backend=envoy \
--helm-set tls.secretsBackend=k8s \
--helm-set image.repository=quay.io/cilium/cilium \
--helm-set image.tag=${{ env.CILIUM_IMAGE_TAG }} \
--helm-set image.useDigest=false \
--helm-set image.pullPolicy=Never \
--helm-set operator.image.repository=quay.io/cilium/operator \
--helm-set operator.image.suffix= \
--helm-set operator.image.tag=${{ env.CILIUM_IMAGE_TAG }} \
--helm-set operator.image.useDigest=false \
--helm-set operator.image.pullPolicy=Never \
--helm-set debug.enabled=true \
--helm-set debug.verbose=envoy
cilium hubble enable
cilium status --wait
cilium hubble port-forward&
- name: Execute Cilium L7 Connectivity Tests
shell: bash
run: cilium connectivity test --test=l7
- name: Gather Cilium system dump
if: failure()
shell: bash
run: cilium sysdump --output-filename cilium-integration-test-sysdump
- name: Upload Cilium system dump
if: failure()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: cilium-integration-test-sysdump
path: cilium-integration-test-sysdump.zip
retention-days: 5