From 7131c57eca8856d9802f72f88f528ea0bd06af02 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 1 Jul 2026 09:41:30 +0200 Subject: [PATCH 1/7] refactor(cilium-conf): migrate from OLM to cilium install --dry-run Replace deprecated isovalent/olm-for-cilium OLM manifest download with cilium CLI's install --dry-run to generate day-0 manifests. This aligns with the cucushift reference script's approach while preserving the day-0 nature of the step (manifests stored in SHARED_DIR for installer). Changes: - Download cilium CLI v0.19.2 and use it to render Helm chart manifests - Add cniVersion override ConfigMap manifest (OCPBUGS-86033 workaround) - Add SCC ClusterRoleBinding for cilium service accounts - Update CILIUM_VERSION from 1.13.9 to 1.19.4 - Add CILIUM_CLI_VERSION env var (default 0.19.2) to ref.yaml Co-Authored-By: Claude Opus 4.6 --- .../cilium/conf/cilium-conf-commands.sh | 153 ++++++++++++------ .../cilium/conf/cilium-conf-ref.yaml | 10 +- 2 files changed, 112 insertions(+), 51 deletions(-) diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh index 39020bfb67645..74e84f982d68c 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh @@ -5,8 +5,11 @@ set -o errexit set -o pipefail set -x -cilium_olm_rev="main" -cv="$CILIUM_VERSION" +CILIUM_VERSION="${CILIUM_VERSION:-1.19.4}" +CILIUM_CLI_VERSION="${CILIUM_CLI_VERSION:-0.19.2}" +ENDPOINT_ROUTES="${ENDPOINT_ROUTES:-true}" +HUBBLE="${HUBBLE:-true}" +SHARED_DIR="${SHARED_DIR:-/tmp/shared_dir}" if [[ -f "${SHARED_DIR}/install-config.yaml" ]]; then sed -i "s/networkType: .*/networkType: Cilium/" "${SHARED_DIR}/install-config.yaml" @@ -26,60 +29,49 @@ spec: - 172.30.0.0/16 EOF -# OLD -- Include all Cilium OLM manifest from https://github.com/cilium/cilium-olm/tree/${cilium_olm_rev}/manifests/cilium.v${cv} -# New -- Migrating to new OLM ( https://github.com/isovalent/olm-for-cilium ) +mkdir -p /tmp/bin +curl --fail --retry 3 -sS -L \ + "https://github.com/cilium/cilium-cli/releases/download/v${CILIUM_CLI_VERSION}/cilium-linux-amd64.tar.gz" \ + | tar -xzC /tmp/bin/ +chmod +x /tmp/bin/cilium +export PATH=/tmp/bin:$PATH -OLM_URL="https://github.com/isovalent/olm-for-cilium" - -curl --silent --location --fail --show-error "${OLM_URL}/archive/${cilium_olm_rev}.tar.gz" --output /tmp/cilium-olm.tgz -tar -C /tmp -xf /tmp/cilium-olm.tgz - -cd "/tmp/olm-for-cilium-${cilium_olm_rev}/manifests/cilium.v${cv}" -# Overwrite the CiliumConfig -cat > cluster-network-07-cilium-ciliumconfig.yaml << EOF -apiVersion: cilium.io/v1alpha1 -kind: CiliumConfig +cat > "${SHARED_DIR}/manifest_cilium-00-namespace.yaml" < "${SHARED_DIR}/manifest_cilium-00-cni-override-configmap.yaml" < "${SHARED_DIR}/manifest_cilium-network-policy-dns.yaml" < "${SHARED_DIR}/manifest_cilium-00-network-policy-dns.yaml" < "${SHARED_DIR}/manifest_cilium-00-scc-privileged.yaml" < "${WORKDIR}/cilium-install-all.yaml" + +# Split the multi-document YAML into individual manifest files +csplit -z -f "${WORKDIR}/cilium-part-" -b '%02d.yaml' "${WORKDIR}/cilium-install-all.yaml" '/^---$/' '{*}' +INDEX=1 +for f in "${WORKDIR}"/cilium-part-*.yaml; do + sed -i '/^---$/d' "$f" + [[ ! -s "$f" ]] && rm -f "$f" && continue + PADDED=$(printf "%02d" "$INDEX") + KIND=$(grep '^kind:' "$f" | head -1 | awk '{print $2}' | tr '[:upper:]' '[:lower:]') + NAME=$(grep '^ name:' "$f" | head -1 | awk '{print $2}' | tr -d '"') + mv "$f" "${SHARED_DIR}/manifest_cilium-${PADDED}-${KIND}-${NAME}.yaml" + INDEX=$((INDEX + 1)) +done diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml index 27fbff2ddb506..e8f9c9ed4a007 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml @@ -8,9 +8,13 @@ ref: memory: 100Mi env: - name: CILIUM_VERSION - default: "1.13.9" + default: "1.19.4" documentation: |- - This var will default to 1.13.9, however users can override to a different Cilium version, ensure the manifests exists in the repo. + Cilium version to install. + - name: CILIUM_CLI_VERSION + default: "0.19.2" + documentation: |- + Cilium CLI version used to generate installation manifests. - name: HUBBLE default: "true" documentation: |- @@ -20,4 +24,4 @@ ref: documentation: |- This var will default to true, however users can override to disable endpoint routes. documentation: |- - This steps installs Cilium OLM manifests (https://github.com/cilium/cilium-olm) \ No newline at end of file + This step generates Cilium CNI manifests using cilium install --dry-run for day-0 cluster installation. From 7c5fab6bc5c9a910e5c45724baf9c0a712b836cc Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Tue, 1 Apr 2025 14:55:52 +0200 Subject: [PATCH 2/7] CNTRLPLANE-249: Configure Cilium for management cluster --- ...ift-kubevirt-baremetalds-conformance-cilium-workflow.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml index 533bf3edf31ea..8e2e8643953eb 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml @@ -12,11 +12,13 @@ workflow: post: - chain: hypershift-dump - chain: gather-core-dump + - chain: cilium-dump - chain: hypershift-kubevirt-destroy - chain: baremetalds-ofcir-post test: - chain: hypershift-conformance pre: + - ref: cilium-conf - chain: baremetalds-ofcir-pre - ref: enable-qe-catalogsource - ref: deploy-konflux-operator @@ -62,7 +64,7 @@ workflow: evicted pods\|\[ovn-kubernetes-ote\] DEVSCRIPTS_CONFIG: | IP_STACK=v4 - NETWORK_TYPE=OVNKubernetes + NETWORK_TYPE=Cilium NUM_WORKERS=0 NUM_MASTERS=3 MASTER_VCPU=16 @@ -70,3 +72,4 @@ workflow: VM_EXTRADISKS=true VM_EXTRADISKS_LIST="vda vdb" VM_EXTRADISKS_SIZE=250G + ENABLE_LOCAL_REGISTRY= From 79f1bd4acfa119d7dc99f0e96fb123d3a83c9939 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 3 Jul 2026 07:31:57 +0200 Subject: [PATCH 3/7] fix(cilium): skip flaky NetworkPolicy tests in Cilium CI workflows Add "deny ingress access to updated pod" test to the skip list in both kubevirt-baremetalds-conformance-cilium and mce-agent-metal3-conformance-cilium workflows. The test is flaky where Cilium reacts more slowly than OVN Kubernetes and this test is sensitive for timing. Some other tests for Network policies were skipped in the past as well, so adding one more to this category is probably not a big deal (low priority). See https://redhat.atlassian.net/browse/OCPQE-28785 for the details why the original ones were disabled. Co-Authored-By: Claude Opus 4.6 --- ...ift-kubevirt-baremetalds-conformance-cilium-workflow.yaml | 5 +++-- ...ershift-mce-agent-metal3-conformance-cilium-workflow.yaml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml index 8e2e8643953eb..384d8b6e6f7da 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml @@ -48,8 +48,9 @@ workflow: should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| Services should serve endpoints on same port and different protocols\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block\| Unidling - \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + except clause while egress access to server in CIDR block\| + Netpol NetworkPolicy between server and client should deny ingress access to updated pod\| + Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with diff --git a/ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml index 9e443bbd3a821..a57fb164671ba 100644 --- a/ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml @@ -31,8 +31,9 @@ workflow: should ensure an IP overlapping both IPBlock.CIDR and IPBlock.Except is allowed\| Services should serve endpoints on same port and different protocols\| Netpol NetworkPolicy between server and client should enforce - except clause while egress access to server in CIDR block\| Unidling - \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] + except clause while egress access to server in CIDR block\| + Netpol NetworkPolicy between server and client should deny ingress access to updated pod\| + Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\] should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\] should work with From 7f3c977aff8f911e0d77e8ff0152987debbc4d55 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 3 Jul 2026 09:36:41 +0200 Subject: [PATCH 4/7] feat(cilium): add configurable repository and test with Cilium 1.20 dev build Add CILIUM_REPOSITORY env var to allow overriding the Helm chart source, enabling testing with development builds from cilium-charts-dev. Update the kubevirt-baremetalds-conformance-cilium workflow to use Cilium 1.20.0-dev for validating KubeVirt fixes ahead of the stable release. Co-Authored-By: Claude Opus 4.6 --- .../step-registry/cilium/conf/cilium-conf-commands.sh | 6 +++++- ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml | 6 +++++- ...ft-kubevirt-baremetalds-conformance-cilium-workflow.yaml | 2 ++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh index 74e84f982d68c..78b50d4597072 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh @@ -6,6 +6,7 @@ set -o pipefail set -x CILIUM_VERSION="${CILIUM_VERSION:-1.19.4}" +CILIUM_REPOSITORY="${CILIUM_REPOSITORY:-oci://quay.io/cilium/charts/cilium}" CILIUM_CLI_VERSION="${CILIUM_CLI_VERSION:-0.19.2}" ENDPOINT_ROUTES="${ENDPOINT_ROUTES:-true}" HUBBLE="${HUBBLE:-true}" @@ -110,10 +111,13 @@ EOF WORKDIR=$(mktemp -d) +# Note: In order to test with a development version, use: +# --repository oci://quay.io/cilium-charts-dev/cilium --version +# where is a tag from https://quay.io/repository/cilium-charts-dev/cilium cilium install \ --dry-run \ --namespace cilium \ - --repository oci://quay.io/cilium/charts/cilium \ + --repository "${CILIUM_REPOSITORY}" \ --version "${CILIUM_VERSION}" \ --set debug.enabled=true \ --set k8s.requireIPv4PodCIDR=true \ diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml index e8f9c9ed4a007..56e91b19dc4c0 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml @@ -8,9 +8,13 @@ ref: memory: 100Mi env: - name: CILIUM_VERSION - default: "1.19.4" + default: "1.20.0-dev-dev.505-e54a19029f1d" documentation: |- Cilium version to install. + - name: CILIUM_REPOSITORY + default: "oci://quay.io/cilium/charts/cilium" + documentation: |- + Cilium repository to install from. - name: CILIUM_CLI_VERSION default: "0.19.2" documentation: |- diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml index 384d8b6e6f7da..9cecdc96a998b 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml @@ -33,6 +33,8 @@ workflow: - ref: cucushift-hypershift-extended-cilium-network-policies - ref: cucushift-hypershift-extended-cilium-health-check env: + CILIUM_VERSION: "1.20.0-dev-dev.505-e54a19029f1d" + CILIUM_REPOSITORY: "oci://quay.io/cilium-charts-dev/cilium" HYPERSHIFT_NETWORK_TYPE: "Other" # Required for Cilium. KONFLUX_DEPLOY_OPERATORS: "false" KONFLUX_TARGET_OPERATORS: metallb,local-storage From b30f760324adc7c371034feba675810787fc6387 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 3 Jul 2026 09:38:05 +0200 Subject: [PATCH 5/7] TMP: Wait --- ...ershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml index 9cecdc96a998b..d2fbd458a11bc 100644 --- a/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml +++ b/ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml @@ -10,6 +10,7 @@ workflow: Track HyperShift's development here: https://issues.redhat.com/projects/HOSTEDCP steps: post: + - ref: wait - chain: hypershift-dump - chain: gather-core-dump - chain: cilium-dump From faceda6a3f2a435dd1dcac44e652971c9ac058fd Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 3 Jul 2026 14:40:43 +0200 Subject: [PATCH 6/7] fix(cilium): use stable 1.19.4 default and make repository configurable in cucushift step Dev version 1.20.0-dev not found in quay.io/cilium/charts. Revert to 1.19.4 and add CILIUM_REPOSITORY env var to cucushift cilium ref. Co-Authored-By: Claude Opus 4.6 --- ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml | 2 +- .../cilium/cucushift-hypershift-extended-cilium-commands.sh | 3 ++- .../cilium/cucushift-hypershift-extended-cilium-ref.yaml | 4 ++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml index 56e91b19dc4c0..7d5d8db471e3a 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml @@ -8,7 +8,7 @@ ref: memory: 100Mi env: - name: CILIUM_VERSION - default: "1.20.0-dev-dev.505-e54a19029f1d" + default: "1.19.4" documentation: |- Cilium version to install. - name: CILIUM_REPOSITORY diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh index 46ae5c757c83c..f452f6725613c 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh @@ -4,6 +4,7 @@ set -euo pipefail CILIUM_VERSION=${CILIUM_VERSION:-"1.19.4"} CILIUM_CLI_VERSION=${CILIUM_CLI_VERSION:-"0.19.2"} +CILIUM_REPOSITORY=${CILIUM_REPOSITORY:-"oci://quay.io/cilium/charts/cilium"} function set_proxy () { if test -s "${SHARED_DIR}/proxy-conf.sh" ; then @@ -76,7 +77,7 @@ EOF # where is a tag from https://quay.io/repository/cilium-charts-dev/cilium cilium install \ --namespace cilium \ - --repository oci://quay.io/cilium/charts/cilium \ + --repository "${CILIUM_REPOSITORY}" \ --version "${CILIUM_VERSION}" \ --set debug.enabled=true \ --set k8s.requireIPv4PodCIDR=true \ diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml index 83ade5faeb62b..49e025393c401 100644 --- a/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml +++ b/ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml @@ -10,6 +10,10 @@ ref: env: - name: CILIUM_VERSION default: "1.19.4" + - name: CILIUM_REPOSITORY + default: "oci://quay.io/cilium/charts/cilium" + documentation: |- + The Cilium repository to install from. - name: CILIUM_CLI_VERSION default: "0.19.2" documentation: |- From 7d70ad20b734d3ae96953a2cd1a8ee9892e025c6 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 3 Jul 2026 16:26:18 +0200 Subject: [PATCH 7/7] Use different tunnelPort on mgmt cluster Must be different from the port on hosted cluster in case of KubeVirt --- ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh index 78b50d4597072..db067003ee194 100644 --- a/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh +++ b/ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh @@ -133,7 +133,7 @@ cilium install \ --set sessionAffinity=true \ --set endpointRoutes.enabled="${ENDPOINT_ROUTES}" \ --set hubble.enabled="${HUBBLE}" \ - --set tunnelPort=4789 \ + --set tunnelPort=4790 \ --set clusterHealthPort=9940 \ --set socketLB.enabled=true \ --set cni.readCniConf=/etc/cilium-cni/cilium-override.conf \