chore: enable kubespan+firewall for cilium tests

Enable kubespan and default block firewall with cilium tests. Signed-off-by: Noel Georgi <git@frezbo.dev>
siderolabs · Dec 12, 2023 · 0c86ca1 · 0c86ca1
1 parent 98fd722
commit 0c86ca1
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 3 deletions.
diff --git a/.drone.jsonnet b/.drone.jsonnet
@@ -477,6 +477,7 @@ local integration_cilium = Step('e2e-cilium', target='e2e-qemu', privileged=true
   SHORT_INTEGRATION_TEST: 'yes',
   WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: 'yes',
   WITH_CUSTOM_CNI: 'cilium',
+  WITH_FIREWALL: 'accept',
   QEMU_WORKERS: '2',
   WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}]',
   IMAGE_REGISTRY: local_registry,
@@ -485,6 +486,18 @@ local integration_cilium_strict = Step('e2e-cilium-strict', target='e2e-qemu', p
   SHORT_INTEGRATION_TEST: 'yes',
   WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: 'yes',
   WITH_CUSTOM_CNI: 'cilium',
+  WITH_FIREWALL: 'accept',
+  QEMU_WORKERS: '2',
+  CILIUM_INSTALL_TYPE: 'strict',
+  WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]',
+  IMAGE_REGISTRY: local_registry,
+});
+local integration_cilium_strict_kubespan = Step('e2e-cilium-strict-kubespan', target='e2e-qemu', privileged=true, depends_on=[integration_cilium_strict], environment={
+  SHORT_INTEGRATION_TEST: 'yes',
+  WITH_SKIP_BOOT_PHASE_FINISHED_CHECK: 'yes',
+  WITH_CUSTOM_CNI: 'cilium',
+  WITH_FIREWALL: 'accept',
+  WITH_KUBESPAN: 'true',
   QEMU_WORKERS: '2',
   CILIUM_INSTALL_TYPE: 'strict',
   WITH_CONFIG_PATCH: '[{"op": "add", "path": "/cluster/network", "value": {"cni": {"name": "none"}}}, {"op": "add", "path": "/cluster/proxy", "value": {"disabled": true}}]',
@@ -532,6 +545,7 @@ local integration_no_cluster_discovery = Step('e2e-no-cluster-discovery', target
 local integration_kubespan = Step('e2e-kubespan', target='e2e-qemu', privileged=true, depends_on=[integration_no_cluster_discovery], environment={
   SHORT_INTEGRATION_TEST: 'yes',
   WITH_CLUSTER_DISCOVERY: 'true',
+  WITH_KUBESPAN: 'true',
   IMAGE_REGISTRY: local_registry,
   WITH_CONFIG_PATCH: '[{"op": "replace", "path": "/cluster/discovery/registries/kubernetes/disabled", "value": false}]',  // use Kubernetes discovery backend
 });
@@ -621,7 +635,7 @@ local integration_pipelines = [
     integration_default_hostname,
   ]) + integration_trigger(['integration-misc']),
   Pipeline('integration-extensions', default_pipeline_steps + integration_extensions) + integration_trigger(['integration-extensions']),
-  Pipeline('integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict]) + integration_trigger(['integration-cilium']),
+  Pipeline('integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict, integration_cilium_strict_kubespan]) + integration_trigger(['integration-cilium']),
   Pipeline('integration-qemu-encrypted-vip', default_pipeline_steps + [integration_qemu_encrypted_vip]) + integration_trigger(['integration-qemu-encrypted-vip']),
   Pipeline('integration-qemu-race', default_pipeline_steps + [build_race, integration_qemu_race]) + integration_trigger(['integration-qemu-race']),
   Pipeline('integration-qemu-csi', default_pipeline_steps + [integration_qemu_csi]) + integration_trigger(['integration-qemu-csi']),
@@ -646,7 +660,7 @@ local integration_pipelines = [
     integration_default_hostname,
   ], [default_cron_pipeline]) + cron_trigger(['thrice-daily', 'nightly']),
   Pipeline('cron-integration-extensions', default_pipeline_steps + integration_extensions, [default_cron_pipeline]) + cron_trigger(['nightly']),
-  Pipeline('cron-integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict], [default_cron_pipeline]) + cron_trigger(['nightly']),
+  Pipeline('cron-integration-cilium', default_pipeline_steps + [integration_cilium, integration_cilium_strict, integration_cilium_strict_kubespan], [default_cron_pipeline]) + cron_trigger(['nightly']),
   Pipeline('cron-integration-qemu-encrypted-vip', default_pipeline_steps + [integration_qemu_encrypted_vip], [default_cron_pipeline]) + cron_trigger(['thrice-daily', 'nightly']),
   Pipeline('cron-integration-qemu-race', default_pipeline_steps + [build_race, integration_qemu_race], [default_cron_pipeline]) + cron_trigger(['nightly']),
   Pipeline('cron-integration-qemu-csi', default_pipeline_steps + [integration_qemu_csi], [default_cron_pipeline]) + cron_trigger(['nightly']),

diff --git a/hack/test/e2e.sh b/hack/test/e2e.sh
@@ -242,11 +242,23 @@ function run_csi_tests {
 function install_and_run_cilium_cni_tests {
   get_kubeconfig
 
+  case "${WITH_KUBESPAN:-false}" in
+    true)
+      CILIUM_NODE_ENCRYPTION=no
+      CILIUM_TEST_EXTRA_ARGS=("--test="!node-to-node-encryption"")
+      ;;
+    *)
+      CILIUM_NODE_ENCRYPTION=yes
+      CILIUM_TEST_EXTRA_ARGS=()
+      ;;
+  esac
+
   case "${CILIUM_INSTALL_TYPE:-none}" in
     strict)
       ${CILIUM_CLI} install \
         --set=ipam.mode=kubernetes \
         --set=kubeProxyReplacement=true \
+        --set=encryption.nodeEncryption=${CILIUM_NODE_ENCRYPTION} \
         --set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
         --set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
         --set=cgroup.autoMount.enabled=false \
@@ -260,6 +272,7 @@ function install_and_run_cilium_cni_tests {
       ${CILIUM_CLI} install \
         --set=ipam.mode=kubernetes \
         --set=kubeProxyReplacement=false \
+        --set=encryption.nodeEncryption=${CILIUM_NODE_ENCRYPTION} \
         --set=securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
         --set=securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
         --set=cgroup.autoMount.enabled=false \
@@ -275,5 +288,5 @@ function install_and_run_cilium_cni_tests {
   ${KUBECTL} label ns cilium-test pod-security.kubernetes.io/enforce=privileged
 
   # --external-target added, as default 'one.one.one.one' is buggy, and CloudFlare status is of course "all healthy"
-  ${CILIUM_CLI} connectivity test --test-namespace cilium-test --external-target google.com; ${KUBECTL} delete ns cilium-test
+  ${CILIUM_CLI} connectivity test --test-namespace cilium-test --external-target google.com "${CILIUM_TEST_EXTRA_ARGS[@]}"; ${KUBECTL} delete ns cilium-test
 }