CI: Use fake external target in LVH-based workflows #40640
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
gentoo-root
commented
Jul 22, 2025
|
/test |
dylandreimerink
approved these changes
Jul 23, 2025
qmonnet
approved these changes
Jul 23, 2025
gentoo-root
commented
Jul 23, 2025
pchaigno
requested changes
Jul 25, 2025
There was a problem hiding this comment.
I probably have less background on the recent work for external targets than other reviewers and, maybe because of that, I'm currently unable to review the main changes here.
I think this pull request and its commits need more context, to help me review and future debuggers understand. I've left comments to try and state what is unclear to me, but in general I'd expect the Why to be stated for each commit and, if the changes don't trivially relate to the commit's title/description, additional explanation for what's non-obvious (cf. Quentin's comment for an example).
152914a to
6312e43
Compare
9f0b54b to
7dfe134
Compare
|
/test |
7dfe134 to
1576a7b
Compare
|
/test |
pchaigno
approved these changes
Aug 13, 2025
.github/actions/kind-external-network/action.sh passes KIND_EXPERIMENTAL_DOCKER_NETWORK to kind, but our wrapper script overwrites it unconditionally and doesn't provide a way to change it. Make the script check whether KIND_EXPERIMENTAL_DOCKER_NETWORK might be already set. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
Canonicalize IP6EXTERNALRANGE to fix this warning: [=] [cilium-test-2] Test [all-egress-deny-knp] [3/21] I0526 13:40:09.838874 1 warnings.go:110] "Warning: spec.egress[0].to[1].ipBlock.cidr: IPv6 CIDR value \"fd00:10:64::ffff:00/112\" should be in RFC 5952 canonical format (\"fd00:10:64::ffff:0/112\")" Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
Recently, we started replacing real external targets (such as one.one.one.one) in test workflows with fake ones to increase robustness in case the servers that we don't control go down. Commit 6982ed9 (".github/workflows: Use fake targets in conformance-kind-proxy-embedded") mentions that the new GitHub actions kind-external-network and kind-external-targets don't work with little-vm-helper. The reason is that those actions, as implemented initially, called into Docker from the GHA context, but Docker runs inside a VM in LVH-based workflows. The change made here allows those GitHub actions to SSH into the VM before running Docker commands. To support Docker volume mounts both on the host and inside the VM, use relative paths and cd /host in the VM to get into the same directory. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
Enabling fake external targets in LVH-based workflows makes this IPv6 NodePort test fail: north-south-loadbalancing-with-l7-policy-port-range/outside-to-nodeport tcp_checksum_complete fails in tcp_v6_rcv, and TCP_MIB_CSUMERRORS increases with every IPv6 SYNACK. While it's not clear why it passed in other workflows and how setting the bridge name explicitly affects the checksums, adding this magic line is sufficient to make this test pass in LVH-based workflows. The bridge name chosen is not arbitrary, and it matches the config used by contrib/scripts/kind.sh. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
check-encryption-leaks.bt treats everything under fd00::/8 as pod traffic. This CIDR includes the actual external and node-to-node traffic in configurations with fake external target. Change the IPv6 subnet in those configurations to match the default used by contrib/scripts/kind.sh. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
.github/actions/kind-external-targets/action.sh patches the cluster-wide DNS to be able to resolve the hostnames of the fake external targets in the cilium TLD. Some LVH-based workflows use node-local DNS that doesn't know about the cilium TLD, therefore, it'll fail to resolve the fake external targets once they are enabled for LVH-based workflows. Patch the node-local DNS config to forward requests in the cilium TLD to the cluster-wide DNS server, which is capable of resolving the hostnames of the fake external targets. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
EXTRA_CLI_FLAGS is formed as an array, each element corresponding to a command line argument. However, if an argument contains spaces, we have to quote the element of the array manually. Alleviate this burden by applying shell quoting with @q when expanding the array into a string. Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
1576a7b to
6c96b33
Compare
|
/test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.