wip

Signed-off-by: Tom Hadlaw <[email protected]>
isovalent · Feb 13, 2024 · eb34a23 · eb34a23
1 parent 332d388
commit eb34a23
Show file tree

Hide file tree

Showing 5 changed files with 98 additions and 35 deletions.
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -20,39 +20,15 @@ jobs:
       max-parallel: 4
       matrix:
         include:
-          - name: 'Talos 1.5 ipv4 KPR'
+          - name: 'Talos v1.5 with KPR'
             talos-version: 'v1.5.3'
+            # TODO: Switch this to partial
             kube-proxy: true 
             socketlb: false 
             bpf-masquerade: true
+            ipam-mode: 'kubernetes'
             ipv4: true
             ipv6: false
-
-          - name: 'Talos 1.5 ipv4 without KPR'
-            talos-version: 'v1.5.3'
-            kube-proxy: false
-            socketlb: true
-            bpf-masquerade: true
-            ipv4: true
-            ipv6: false
-
-          # Talos Version v1.6
-          - name: 'Talos 1.6 ipv4 KPR'
-            talos-version: 'v1.6.1'
-            bpf-masquerade: true
-            kube-proxy: true
-            socketlb: false
-            ipv4: true
-            ipv6: false
-
-          - name: 'Talos 1.6 ipv4 without KPR'
-            talos-version: 'v1.6.1'
-            bpf-masquerade: true
-            kube-proxy: false
-            socketlb: true
-            ipv4: true
-            ipv6: false
-
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
@@ -90,7 +66,9 @@ jobs:
             --set ipv6.enabled=${{ matrix.ipv6 }} \
             --set bpf.masquerade=${{ matrix.bpf-masquerade }} \
             --set kubeProxyReplacement=${{ matrix.kube-proxy }} \
-            --set socketLB.enabled=${{ matrix.socketlb }}
+            --set socketLB.enabled=${{ matrix.socketlb }} \
+            --set ipam.mode=${{ matrix.ipam-mode }} \
+            --set ingressController.enabled=true
           cilium-cli status --wait
 
       - name: Run E2E Connectivity Tests 

diff --git a/test/conformance/env.tfvars b/test/conformance/env.tfvars
@@ -1,5 +1,5 @@
-cluster_name       = "talos-e2e--102"
-region             = "us-east-2"
-owner              = "tom"
-talos_version      = "v1.5.3"
-disable_kube_proxy = true
+cluster_name = "talos-e2e--302"
+region = "us-east-2"
+owner = "tom"
+talos_version = "v1.5.3"
+disable_kube_proxy = false 
diff --git a/test/conformance/repro.yaml b/test/conformance/repro.yaml
@@ -11,7 +11,6 @@ image:
   #override: quay.io/thad9/cilium:bisect 
   #override: quay.io/thad9/cilium:7661ffaa5079
   #override: quay.io/thad9/cilium:complexity
-
 k8s:
   requireIPv4PodCIDR: true
   requireIPv6PodCIDR: false

diff --git a/test/conformance/roche.yaml b/test/conformance/roche.yaml
@@ -0,0 +1,85 @@
+image:
+  override: quay.io/isovalent-dev/cilium-dev:v1.13.4-cee.1-websocket-4
+nodePort:
+  enabled: true
+dnsPolicy: ClusterFirstWithHostNet
+resources:
+  requests:
+    cpu: 20m
+    memory: 512Mi
+kubeProxyReplacement: partial
+ingressController:
+  enabled: true
+operator:
+  image:
+    override: quay.io/isovalent-dev/operator-generic-dev:v1.13.4-cee.1-websocket-4
+  replicas: 1
+  resources:
+    requests:
+      cpu: 20m
+      memory: 128Mi
+  prometheus:
+    enabled: true
+    serviceMonitor:
+      enabled: false
+prometheus:
+  enabled: true
+  serviceMonitor:
+    enabled: false
+hubble:
+  enabled: true
+  metrics:
+    enabled:
+    - dns:query;ignoreAAAA
+    - drop
+    - tcp
+    - flow
+    - icmp
+    - http
+    serviceMonitor:
+      enabled: false
+  relay:
+    enabled: true
+    resources:
+      requests:
+        cpu: 10m
+        memory: 128Mi
+    prometheus:
+      enabled: true
+      serviceMonitor:
+        enabled: false
+  tls:
+    enabled: true 
+    auto:
+      enabled: true
+      method: cronJob
+      certValidityDuration: 1095
+      schedule: "0 0 1 */4 *"
+ipam:
+  mode: kubernetes
+  operator:
+    clusterPoolIPv4PodCIDRList:
+    - ${POD_CIDR}
+    clusterPoolIPv4MaskSize: 23
+securityContext:
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN  
+      - SYS_RESOURCE
+cgroup:
+  autoMount:
+    enabled: false
+  hostRoot: /sys/fs/cgroup
diff --git a/test/conformance/values.yaml b/test/conformance/values.yaml
@@ -83,7 +83,7 @@ prometheus:
 ipam:
   # Ensure to not assign PodCIDRs to Nodes via "controllerManager.extraArgs.allocate-node-cidrs" in case you want to use Cilium's default IPAM mode, cluster-pool, instead of 'kubernetes'. Use the provided 'allocate_node_cidrs' Terraform variable to steer this behaviour.
   #mode: kubernetes
-  mode: cluster-pool
+  #mode: cluster-pool
   operator:
     clusterPoolIPv4PodCIDRList:
     - "100.64.0.0/14"
@@ -94,6 +94,7 @@ cgroup:
   autoMount:
     enabled: false
   hostRoot: /sys/fs/cgroup
+
 # Remove "SYS_MODULE" because of https://www.talos.dev/v1.5/learn-more/process-capabilities/
 securityContext:
   capabilities: