Skip to content

workflows: Add WireGuard in the Conformance Multi-Pool workflow #39561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 20, 2025
Merged

workflows: Add WireGuard in the Conformance Multi-Pool workflow #39561

merged 3 commits into from
May 20, 2025

Conversation

pippolo84
Copy link
Member

@pippolo84 pippolo84 commented May 15, 2025
edited
Loading

Extend Conformance Multi-Pool workflow to cover WireGuard based encryption, in both tunnel and direct routing mode.
Also, move the test configuration matrix in its own file, just like we do for Conformance IPsec E2E and Cilium E2E Upgrade workflows.

Differently from Conformance IPsec E2E and Cilium E2E Upgrade, despite testing the encryption feature, here we do not check for unencrypted packets. This is due to the fact that the bpftrace action we usually rely on to look for leaked packets is meant to run on a Little VM Helper Virtual Machine where the Kind cluster is installed and exposed. Since this is not the case for this workflow and in the long term the multi-pool IPAM config should be just another case in the matrix config of existing conformance tests, we simply skip that check here.

Example of a successful run: https://github.com/cilium/cilium/actions/runs/15122436433

@pippolo84 pippolo84 added area/CI Continuous Integration testing issue or flake release-note/ci This PR makes changes to the CI. area/multipool Affects Multi-Pool IPAM feature/wireguard Relates to Cilium's Wireguard feature labels May 15, 2025
@pippolo84
Copy link
Member Author

/ci-multi-pool

@julianwiedmann
Copy link
Member

For context, I think #35895 demonstrates nicely why things work for Wireguard.

  1. in overlay routing mode, the WG tunnel only sees nodeIPs. And those are correctly registered by the receiving endpoints in their allowedIPs.
  2. in native routing mode, the WG managers track ipcache events and push those down into allowedIPs. Doesn't matter which specific IPAM pool the IP was taken from.

@pippolo84
Copy link
Member Author

/ci-multi-pool

pippolo84 added 2 commits May 19, 2025 16:15
@pippolo84
ci/multi-pool: Add test for WireGuard with direct routing
a3f085a 
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
ci/multi-pool: Add test for WireGuard with tunneling
d4e2e49 
Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 force-pushed the pr/pippolo84/multipool-ipam-wireguard branch from a5fcaff to bb1f56e Compare May 19, 2025 14:15
@pippolo84
Copy link
Member Author

/ci-multi-pool

@pippolo84 pippolo84 marked this pull request as ready for review May 19, 2025 14:57
@pippolo84 pippolo84 requested review from a team as code owners May 19, 2025 14:57
@pippolo84 pippolo84 requested a review from Artyop May 19, 2025 14:57
@pippolo84
ci/multi-pool: Generate config matrix from file
9b87a24 
Split off the tested multi-pool configurations into a separate file.
This should make it easier to replace the configs, add additional files
with custom configs and similar.

It also harmonizes the workflow with how the IPsec upgrade and E2e
upgrade workflows work.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 force-pushed the pr/pippolo84/multipool-ipam-wireguard branch from bb1f56e to 9b87a24 Compare May 19, 2025 20:22
@pippolo84
Copy link
Member Author

/ci-multi-pool

@pippolo84
Copy link
Member Author

/test

@pippolo84 pippolo84 added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label May 20, 2025
This was referenced May 20, 2025
Closed
Merged
@julianwiedmann julianwiedmann added this pull request to the merge queue May 20, 2025
Merged via the queue into main with commit 0598e0b May 20, 2025
309 of 318 checks passed
@julianwiedmann julianwiedmann deleted the pr/pippolo84/multipool-ipam-wireguard branch May 20, 2025 14:24
@pippolo84 pippolo84 mentioned this pull request May 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Artyop Artyop Artyop approved these changes

Assignees
No one assigned
Labels
area/CI Continuous Integration testing issue or flake area/multipool Affects Multi-Pool IPAM feature/wireguard Relates to Cilium's Wireguard feature ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pippolo84 @julianwiedmann @Artyop