[v1.16] workflows: Extend IPsec tests to cover egress gateway #35540
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit bf874a0 ] The 'encryption' and 'encryption-node' field are removed. We already know this is about IPsec encryption and node encryption isn't supported, so those fields are just unnecessary verbosity. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
|
/ci-ipsec-upgrade |
055ac66 to
05588fa
Compare
|
/ci-ipsec-upgrade |
05588fa to
8f8b415
Compare
|
/ci-ipsec-upgrade |
|
/ci-ipsec-e2e |
[ upstream commit 738f73f ] This commit simply ensures the two IPsec workflows use the same configs. The configs from the end-to-end test workflow, which seem more extensive, are used. Note that this means IPsec+KPR is now covered in up/downgrade tests. It was only covered in end-to-end tests before. This is now okay because IPsec+KPR should work in v1.16. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit e1916e2 ] [ backporter's notes: switch `cilium` to `cilium-cli` ] For the end-to-end workflow, where we check for unencrypted pod-to-pod traffic, this change requires us to run the egress gateway tests outside of the unencrypted traffic check. Otherwise, pod-to-world traffic redirected to the gateway is detected as incorrect unencrypted. Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
[ upstream commit 06cfdb4 ] To avoid duplicating the test configurations, let's store it in a single place, as a YAML file, and generate the matrices for the workflows from that file. For the end-to-end workflow, we can take the YAML file as is. For the upgrade workflows, we need to remove unused fields and duplicate each entry for "mode: patch" and "mode: minor". For the upgrade workflow, this has the added benefit of displaying the full configuration in the job's name (instead of the previous "(1, minor)"). Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
KPR is not supported on v1.15, skip these particular tests. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
8f8b415 to
04bc51e
Compare
|
/test-backport-1.16 |
pchaigno
approved these changes
Oct 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual backport, to tolerate that KPR and IPsec don't work together on v1.15.
Once this PR is merged, a GitHub action will update the labels of these PRs: