cilium-cli/connectivity-tests: Add fake external targets #38750
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2174760 to
664ec56
Compare
|
/test |
This commit adds IPv6 external target IP, other external target IP and external CIDR parameters to the cilium-cli connectivity test. And added them to the `PodToCIDR` scenario and all tests that use it. The IPv6 variation of `PodToCIDR` is only enabled when the external targets are IPv6 capable. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
To validate that adding fake external targets works, we use them in the `conformance-kind-proxy-embedded` workflow. This workflow was mostly chosen because it enables a large amount of tests and runs kind directly on the runner instead of in LVH. The actions will not work for kind clusters in LVH as is since they execute in the context of the runner and they need to run in the context of the LVH VM for those instead. This is something to be addressed in a future change. Signed-off-by: Dylan Reimerink <dylan.reimerink@isovalent.com>
41e6067 to
5bb5f0a
Compare
|
/test |
nathanjsweet
approved these changes
Apr 16, 2025
jrajahalme
approved these changes
Apr 22, 2025
pchaigno
approved these changes
Apr 22, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds fake external targets to the
conformance-kind-proxy-embeddedworkflow. It introduces reusable github actions to be used by other workflows in the future and a number of cilium-cli modifications.The reason for doing the above is to enable IPv6 testing of our to-fqdn tests. These tests require connectivity to the external targets. Since github does not provide IPv6 connectivity, we cannot simply enable IPv6 traffic to the existing default external targets (one.one.one.one and k8s.io). So to allow us to do IPv6 testing to external targets, we need to stop using actual external targets and use fake external targets instead. Another positive side effect is that this should make our tests that require external targets less flaky, since we remove internet connectivity and uptime of external services as possible reasons why our tests might fail.
These fake external targets are simply docker containers which are added to the same bridge network as the kind nodes. From the perspective of these kind nodes, the external targets are like servers in the same L2 network which are not part of the k8s cluster. They are reachable over the same
eth0interface as targets on the internet. The CoreDNS config is modified to add DNS entries for the external targets. The external targets are assigned IPs which both live in the same CIDR, but one which does not cover the IPs used by the kind hosts. Both external targets are nginx webservers, listening on port 80 and 443, serve HTTP and HTTPS with a certificate signed by a self signed CA. The cert of the CA is put into a k8s secret so it can be used by the tests.The connectivity tests are modified so custom CA is added to the client CA bundle when provided. IPv6 testing is enabled for
PodToWorld,PodToWorld2andPodToCIDR, except for when L7 proxy is used (see #37932), and only when the newexternal-target-ipv6-capableflag is set. This new flag allows us to enable IPv6 with fake external targets, while keeping it disabled for existing workflows without fake external targets.For now only the
conformance-kind-proxy-embeddedworkflow has these fake external targets. That is because it is low hanging fruit, it executes a large range of connectivity tests, including the FQDN tests. It also uses kind directly on the runner as opposed to in LVH. Using these fake external targets should also be possible in LVH, but we need to execute the scripts inside of the VM, something which requires a bit more work, and so is left for a follow up PR.Fixes: #37138
Fixes: #37139