[ci] isolate wireguard n2n tests #36556
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add a Requirement which matches if a particular mode for a feature is NOT a provided string. This is useful when you want a test to run for all modes of a feature accept a subset. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
Update the constraints over running the node-to-node encryption tests. Now, these node-to-node tests will run only when Wireguard is enabled or when no encryption is set at all. The latter reason is in place to ensure we run sanity checks on the TCPDump filters used when encryption is enabled. This ensures we haven't broken leak detection as a whole. Signed-off-by: Louis DeLosSantos <louis.delos@isovalent.com>
|
/test |
|
/test |
There was a problem hiding this comment.
Alternatively, we can use WithCondition() to implement complicated boolean operations:
https://github.com/cilium/cilium/blob/v1.17.0-pre.3/cilium-cli/connectivity/builder/echo_ingress_l7.go#L47
|
@jschwinger233 I see! Maybe it's nice to have a short hand for "NOT". This was originally suggested. I don't feel too strongly. |
gandro
approved these changes
Dec 16, 2024
derailed
approved these changes
Dec 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The node-to-node encryption tests do not provide any benefits for IPsec since IPsec does not support this.
Currently, the node-to-node encryption tests run for IPsec.
I did some digging and chatting with folks and its a mixed bag one whether this was intentional or not.
As we begin to move to VinE traffic with IPsec it simplifies things to no longer run node-to-node for IPsec, reducing the configuration matrix necessary to perform the correct tests.
The node-to-node tests still run when no encryption mode is set at all.
This acts as a sanity check to ensure the TCPDump filters correctly capture expected traffic.