diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh index 39020bfb67645..db067003ee194 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh @@ -5,8 +5,12 @@ set -o errexit set -o pipefail set -x -cilium_olm_rev="main" -cv="$CILIUM_VERSION" +CILIUM_VERSION="${CILIUM_VERSION:-1.19.4}" +CILIUM_REPOSITORY="${CILIUM_REPOSITORY:-oci://quay.io/cilium/charts/cilium}" +CILIUM_CLI_VERSION="${CILIUM_CLI_VERSION:-0.19.2}" +ENDPOINT_ROUTES="${ENDPOINT_ROUTES:-true}" +HUBBLE="${HUBBLE:-true}" +SHARED_DIR="${SHARED_DIR:-/tmp/shared_dir}" if [[ -f "${SHARED_DIR}/install-config.yaml" ]]; then sed -i "s/networkType: .*/networkType: Cilium/" "${SHARED_DIR}/install-config.yaml" @@ -26,60 +30,49 @@ spec: - 172.30.0.0/16 EOF -# OLD -- Include all Cilium OLM manifest from https://github.com/cilium/cilium-olm/tree/${cilium_olm_rev}/manifests/cilium.v${cv} -# New -- Migrating to new OLM ( https://github.com/isovalent/olm-for-cilium ) +mkdir -p /tmp/bin +curl --fail --retry 3 -sS -L \ + "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" \ + | tar -xzC /tmp/bin/ +chmod +x /tmp/bin/cilium +export PATH=/tmp/bin:$PATH -OLM_URL="https://github.com/isovalent/olm-for-cilium" - -curl --silent --location --fail --show-error "${OLM_URL}/archive/${cilium_olm_rev}.tar.gz" --output /tmp/cilium-olm.tgz -tar -C /tmp -xf /tmp/cilium-olm.tgz - -cd "/tmp/olm-for-cilium-${cilium_olm_rev}/manifests/cilium.v${cv}" -# Overwrite the CiliumConfig -cat > cluster-network-07-cilium-ciliumconfig.yaml << EOF -apiVersion: cilium.io/v1alpha1 -kind: CiliumConfig +cat > "${SHARED_DIR}/manifest_cilium-00-namespace.yaml" < "${SHARED_DIR}/manifest_cilium-00-cni-override-configmap.yaml" < "${SHARED_DIR}/manifest_cilium-network-policy-dns.yaml" < "${SHARED_DIR}/manifest_cilium-00-network-policy-dns.yaml" < "${SHARED_DIR}/manifest_cilium-00-scc-privileged.yaml" < +# where is a tag from https://quay.io/repository/cilium-charts-dev/cilium +cilium install \ + --dry-run \ + --namespace cilium \ + --repository "${CILIUM_REPOSITORY}" \ + --version "${CILIUM_VERSION}" \ + --set debug.enabled=true \ + --set k8s.requireIPv4PodCIDR=true \ + --set logSystemLoad=true \ + --set ipv6.enabled=false \ + --set identityChangeGracePeriod=0s \ + --set ipam.mode=cluster-pool \ + --set "ipam.operator.clusterPoolIPv4PodCIDRList={10.128.0.0/14}" \ + --set ipam.operator.clusterPoolIPv4MaskSize=23 \ + --set ipv4NativeRoutingCIDR=10.128.0.0/14 \ + --set cni.binPath=/var/lib/cni/bin \ + --set cni.confPath=/var/run/multus/cni/net.d \ + --set sessionAffinity=true \ + --set endpointRoutes.enabled="${ENDPOINT_ROUTES}" \ + --set hubble.enabled="${HUBBLE}" \ + --set tunnelPort=4790 \ + --set clusterHealthPort=9940 \ + --set socketLB.enabled=true \ + --set cni.readCniConf=/etc/cilium-cni/cilium-override.conf \ + --set extraVolumes[0].name=cni-override \ + --set extraVolumes[0].configMap.name=cilium-cni-override \ + --set extraVolumeMounts[0].name=cni-override \ + --set extraVolumeMounts[0].mountPath=/etc/cilium-cni \ + > "${WORKDIR}/cilium-install-all.yaml" + +# Split the multi-document YAML into individual manifest files +csplit -z -f "${WORKDIR}/cilium-part-" -b '%02d.yaml' "${WORKDIR}/cilium-install-all.yaml" '/^---$/' '{*}' +INDEX=1 +for f in "${WORKDIR}"/cilium-part-*.yaml; do + sed -i '/^---$/d' "$f" + [[ ! -s "$f" ]] && rm -f "$f" && continue + PADDED=$(printf "%02d" "$INDEX") + KIND=$(grep '^kind:' "$f" | head -1 | awk '{print $2}' | tr '[:upper:]' '[:lower:]') + NAME=$(grep '^ name:' "$f" | head -1 | awk '{print $2}' | tr -d '"') + mv "$f" "${SHARED_DIR}/manifest_cilium-${PADDED}-${KIND}-${NAME}.yaml" + INDEX=$((INDEX + 1)) +done diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml index 27fbff2ddb506..7d5d8db471e3a 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml @@ -8,9 +8,17 @@ ref: memory: 100Mi env: - name: CILIUM_VERSION - default: "1.13.9" + default: "1.19.4" documentation: |- - This var will default to 1.13.9, however users can override to a different Cilium version, ensure the manifests exists in the repo. + Cilium version to install. + - name: CILIUM_REPOSITORY + default: "oci://quay.io/cilium/charts/cilium" + documentation: |- + Cilium repository to install from. + - name: CILIUM_CLI_VERSION + default: "0.19.2" + documentation: |- + Cilium CLI version used to generate installation manifests. - name: HUBBLE default: "true" documentation: |- @@ -20,4 +28,4 @@ ref: documentation: |- This var will default to true, however users can override to disable endpoint routes. documentation: |- - This steps installs Cilium OLM manifests (https://github.com/cilium/cilium-olm) \ No newline at end of file + This step generates Cilium CNI manifests using cilium install --dry-run for day-0 cluster installation. diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh index 46ae5c757c83c..f452f6725613c 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh @@ -4,6 +4,7 @@ set -euo pipefail CILIUM_VERSION=${CILIUM_VERSION:-"1.19.4"} CILIUM_CLI_VERSION=${CILIUM_CLI_VERSION:-"0.19.2"} +CILIUM_REPOSITORY=${CILIUM_REPOSITORY:-"oci://quay.io/cilium/charts/cilium"} function set_proxy () { if test -s "${SHARED_DIR}/proxy-conf.sh" ; then @@ -76,7 +77,7 @@ EOF # where is a tag from https://quay.io/repository/cilium-charts-dev/cilium cilium install \ --namespace cilium \ - --repository oci://quay.io/cilium/charts/cilium \ + --repository "${CILIUM_REPOSITORY}" \ --version "${CILIUM_VERSION}" \ --set debug.enabled=true \ --set k8s.requireIPv4PodCIDR=true \ diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml index 83ade5faeb62b..49e025393c401 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml @@ -10,6 +10,10 @@ ref: env: - name: CILIUM_VERSION default: "1.19.4" + - name: CILIUM_REPOSITORY + default: "oci://quay.io/cilium/charts/cilium" + documentation: |- + The Cilium repository to install from. - name: CILIUM_CLI_VERSION default: "0.19.2" documentation: |- diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml index 533bf3edf31ea..d2fbd458a11bc 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml @@ -10,13 +10,16 @@ workflow: Track HyperShift's development here: https://issues.redhat.com/projects/HOSTEDCP steps: post: + - ref: wait - chain: hypershift-dump - chain: gather-core-dump + - chain: cilium-dump - chain: hypershift-kubevirt-destroy - chain: baremetalds-ofcir-post test: - chain: hypershift-conformance pre: + - ref: cilium-conf - chain: baremetalds-ofcir-pre - ref: enable-qe-catalogsource - ref: deploy-konflux-operator @@ -31,6 +34,8 @@ workflow: - ref: cucushift-hypershift-extended-cilium-network-policies - ref: cucushift-hypershift-extended-cilium-health-check env: + CILIUM_VERSION: "1.20.0-dev-dev.505-e54a19029f1d" + CILIUM_REPOSITORY: "oci://quay.io/cilium-charts-dev/cilium" HYPERSHIFT_NETWORK_TYPE: "Other" # Required for Cilium. KONFLUX_DEPLOY_OPERATORS: "false" KONFLUX_TARGET_OPERATORS: metallb,local-storage @@ -46,8 +51,9 @@ workflow: should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| Services should serve endpoints on same port and different protocols\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block\| Unidling - \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + except clause while egress access to server in CIDR block\| + Netpol NetworkPolicy between server and client should deny ingress access to updated pod\| + Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with @@ -62,7 +68,7 @@ workflow: evicted pods\|\[ovn-kubernetes-ote\] DEVSCRIPTS_CONFIG: | IP_STACK=v4 - NETWORK_TYPE=OVNKubernetes + NETWORK_TYPE=Cilium NUM_WORKERS=0 NUM_MASTERS=3 MASTER_VCPU=16 @@ -70,3 +76,4 @@ workflow: VM_EXTRADISKS=true VM_EXTRADISKS_LIST="vda vdb" VM_EXTRADISKS_SIZE=250G + ENABLE_LOCAL_REGISTRY= diff --git a/ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml index 9e443bbd3a821..a57fb164671ba 100644 --- a/ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml @@ -31,8 +31,9 @@ workflow: should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| Services should serve endpoints on same port and different protocols\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block\| Unidling - \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + except clause while egress access to server in CIDR block\| + Netpol NetworkPolicy between server and client should deny ingress access to updated pod\| + Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with