ci: fix cilium chaining e2e (#2391)

Author: zhangzujian

.github/workflows/build-x86-image.yaml

@@ -22,7 +22,7 @@ concurrency:
 
 env:
   GOSEC_VERSION: '2.15.0'
-  HELM_VERSION: v3.10.3
+  HELM_VERSION: v3.11.1
 
 jobs:
   build-kube-ovn:
@@ -1086,11 +1086,13 @@ jobs:
           sudo cp -r /root/.kube/ ~/.kube/
           sudo chown -R $(id -un). ~/.kube/
 
-      - name: Install Kube-OVN
-        run: make kind-install
+      - name: Install Kube-OVN with Cilium chaining
+        run: make kind-install-cilium-chaining
 
       - name: Run E2E
         working-directory: ${{ env.E2E_DIR }}
+        env:
+          E2E_CILIUM_CHAINING: "true"
         run: make k8s-conformance-e2e
 
       - name: Cleanup

.github/workflows/scheduled-e2e.yaml

@@ -10,7 +10,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  HELM_VERSION: v3.10.1
+  HELM_VERSION: v3.11.1
 
 jobs:
   k8s-conformance-e2e:
@@ -830,14 +830,16 @@ jobs:
           sudo cp -r /root/.kube/ ~/.kube/
           sudo chown -R $(id -un). ~/.kube/
 
-      - name: Install Kube-OVN
+      - name: Install Kube-OVN with Cilium chaining
         working-directory: test/e2e/kube-ovn/branches/${{ matrix.branch }}
         run: |
           version=$(grep -E '^VERSION="v([0-9]+\.){2}[0-9]+"$' dist/images/install.sh | head -n1 | awk -F= '{print $2}' | tr -d '"')
           docker pull kubeovn/kube-ovn:$version
-          VERSION=$version make kind-install
+          VERSION=$version make kind-install-cilium-chaining
 
       - name: Run E2E
+        env:
+          E2E_CILIUM_CHAINING: "true"
         run: make k8s-conformance-e2e
 
       - name: Cleanup

Makefile

@@ -15,7 +15,7 @@ CONTROL_PLANE_TAINTS = node-role.kubernetes.io/master node-role.kubernetes.io/co
 MULTUS_IMAGE = ghcr.io/k8snetworkplumbingwg/multus-cni:stable
 MULTUS_YAML = https://raw.githubusercontent.com/k8snetworkplumbingwg/multus-cni/master/deployments/multus-daemonset.yml
 
-CILIUM_VERSION = 1.11.6
+CILIUM_VERSION = 1.12.7
 CILIUM_IMAGE_REPO = quay.io/cilium/cilium
 
 VPC_NAT_GW_IMG = $(REGISTRY)/vpc-nat-gateway:$(VERSION)
@@ -271,10 +271,6 @@ kind-init-ipv6:
 kind-init-dual:
 	@ip_family=dual $(MAKE) kind-init
 
-.PHONY: kind-init-cilium
-kind-init-cilium:
-	@kube_proxy_mode=iptables $(MAKE) kind-init
-
 .PHONY: kind-load-image
 kind-load-image:
 	$(call kind_load_image,kube-ovn,$(REGISTRY)/kube-ovn:$(VERSION))
@@ -480,28 +476,28 @@ kind-install-lb-svc: kind-load-image kind-untaint-control-plane
 	ENABLE_LB_SVC=true CNI_CONFIG_PRIORITY=10 bash
 	kubectl describe no
 
-.PHONY: kind-install-cilium
-kind-install-cilium: kind-load-image kind-untaint-control-plane
+.PHONY: kind-install-cilium-chaining
+kind-install-cilium-chaining: kind-load-image kind-untaint-control-plane
 	$(eval KUBERNETES_SERVICE_HOST = $(shell kubectl get nodes kube-ovn-control-plane -o jsonpath='{.status.addresses[0].address}'))
 	$(call docker_ensure_image_exists,$(CILIUM_IMAGE_REPO):v$(CILIUM_VERSION))
 	$(call kind_load_image,kube-ovn,$(CILIUM_IMAGE_REPO):v$(CILIUM_VERSION))
-	kubectl apply -f yamls/chaining.yaml
+	kubectl apply -f yamls/cilium-chaining.yaml
 	helm repo add cilium https://helm.cilium.io/
 	helm install cilium cilium/cilium \
 		--version $(CILIUM_VERSION) \
 		--namespace=kube-system \
 		--set k8sServiceHost=$(KUBERNETES_SERVICE_HOST) \
 		--set k8sServicePort=6443 \
 		--set tunnel=disabled \
+		--set sessionAffinity=true \
 		--set enableIPv4Masquerade=false \
-		--set enableIdentityMark=false \
 		--set cni.chainingMode=generic-veth \
 		--set cni.customConf=true \
 		--set cni.configMap=cni-configuration
 	kubectl -n kube-system rollout status ds cilium --timeout 300s
-	bash dist/images/cilium.sh
+	bash dist/images/install-cilium-cli.sh
 	sed 's/VERSION=.*/VERSION=$(VERSION)/' dist/images/install.sh | \
-	ENABLE_LB=false ENABLE_NP=false WITHOUT_KUBE_PROXY=true CNI_CONFIG_PRIORITY=10 bash
+		ENABLE_LB=false ENABLE_NP=false CNI_CONFIG_PRIORITY=10 bash
 	kubectl describe no
 
 .PHONY: kind-reload

Makefile.e2e

@@ -1,6 +1,7 @@
 E2E_BRANCH := $(shell echo $${E2E_BRANCH:-master})
 E2E_IP_FAMILY := $(shell echo $${E2E_IP_FAMILY:-ipv4})
 E2E_NETWORK_MODE := $(shell echo $${E2E_NETWORK_MODE:-overlay})
+E2E_CILIUM_CHAINING = $(shell echo $${E2E_CILIUM_CHAINING:-false})
 
 K8S_CONFORMANCE_E2E_FOCUS = "sig-network.*Conformance" "sig-network.*Feature:NoSNAT"
 K8S_CONFORMANCE_E2E_SKIP = "sig-network.*Services.*session affinity"

dist/images/.dockerignore

@@ -1,5 +1,6 @@
 build.sh
 install.sh
+install-cilium-cli.sh
 ovn-ic-db-docker.sh
 generate-ssl-docker.sh
 cleanup.sh

dist/images/cilium.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -e
+
+CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
+CILIUM_CLI_ARCH=amd64
+if [ "$(uname -m)" = "aarch64" ]; then
+ CILIUM_CLI_ARCH=arm64
+fi
+
+curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CILIUM_CLI_ARCH}.tar.gz{,.sha256sum}
+if command -v sha256sum >/dev/null; then
+  sha256sum --check cilium-linux-${CILIUM_CLI_ARCH}.tar.gz.sha256sum
+fi
+sudo tar xzvfC cilium-linux-${CILIUM_CLI_ARCH}.tar.gz /usr/local/bin
+rm cilium-linux-${CILIUM_CLI_ARCH}.tar.gz{,.sha256sum}