GHA: Node without Cilium for GKE workflows#41713
Merged
Conversation
978a59c to
d568c63
Compare
Contributor
Author
|
/ci-gke |
d568c63 to
9ec1260
Compare
Contributor
Author
|
/ci-gke |
|
This pull request has been automatically marked as stale because it |
|
This pull request has not seen any activity since it was marked stale. |
3a7cfb2 to
0f8f9e7
Compare
Contributor
Author
|
/ci-gke |
d2493e4 to
63a97a8
Compare
Contributor
Author
|
/ci-gke |
1 similar comment
Contributor
Author
|
/ci-gke |
019d359 to
b6153d1
Compare
Contributor
Author
|
/ci-gke |
b6153d1 to
18c39a1
Compare
Contributor
Author
|
/ci-gke |
Contributor
Author
|
/test |
18c39a1 to
dad65a5
Compare
thorn3r
approved these changes
Mar 6, 2026
Contributor
thorn3r
left a comment
There was a problem hiding this comment.
looks good for my codeowners
3a55c5f to
30a44d2
Compare
Contributor
Author
|
/ci-gke |
Contributor
Author
|
test |
Contributor
Author
|
/test |
Contributor
Author
|
/ci-gke |
Contributor
Author
|
/test |
|
/ci-gke |
|
/test |
Artyop
approved these changes
Mar 10, 2026
youngnick
approved these changes
Mar 12, 2026
vipul-21
approved these changes
Mar 12, 2026
Contributor
Author
|
/ci-gke |
Contributor
Author
|
/test |
Contributor
Author
|
/ci-gke |
Contributor
Author
|
/test |
jrajahalme
approved these changes
Mar 17, 2026
Cloud providers have connectivity to pods without the need to add extra routes, unlike Kind clusters. Drop the `ip route add` commands to avoid "Error: Nexthop has invalid gateway". Signed-off-by: Alice Mikityanska <alice@isovalent.com>
node-local-dns uses port 8080 for liveness probes [1], which prevents
Cilium connectivity tests from deploying echo-external-node on "nodes
without Cilium" if node-local-dns runs there:
Some error occurred Error: listen EADDRINUSE: address already in use :::8080
at Server.setupListenHandle [as _listen2] (node:net:1940:16)
at listenInCluster (node:net:1997:12)
at Server.listen (node:net:2102:7)
at app.listen (/usr/local/lib/node_modules/json-server/node_modules/express/lib/application.js:636:24)
at /usr/local/lib/node_modules/json-server/lib/cli/run.js:112:20 {
code: 'EADDRINUSE',
errno: -98,
syscall: 'listen',
address: '::',
port: 8080
}
Move the port used by Cilium tests to fix the clash with node-local-dns.
[1]: https://github.com/kubernetes/kubernetes/blob/7f890ab7ade4ecfff92cc81621216ae1b87fa827/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml#L165
Signed-off-by: Alice Mikityanska <alice@isovalent.com>
The cluster can still have two nodes, one ignored by Cilium, in which case echo-external-node should be deployed on that node, otherwise it's skipped, but then waited for. Signed-off-by: Alice Mikityanska <alice@isovalent.com>
Before commit a1d207c ("cilium-cli: fix wildcard egress tls sni policy connectivity tests"), wildcard tests used to assume that the suffixes of the two external targets are different after replacing the first one or two components of their hostnames with a wildcard. After it was fixed, double wildcard tests started passing when external targets have at least some uncommon suffix, but for fake external targets like - nginx.external.svc.cluster.local - nginx.external-other.svc.cluster.local it means wildcarding as **.external.svc.cluster.local, skipping testing the functionality that matches ** on multiple words. Solve this problem by using the `curl --resolve` option to provide fake DNS to fake external targets. In tests that don't rely on FQDN policies, it allows to skip DNS resolution and instead use arbitrary hostnames. For example, using - fake.external.first.target - fake.external.second.target allows to write a double wildcard policy for **.first.target, which will match on the first target only, and it will also test **. The downside is the requirement to issue custom TLS certificates with fake hostnames, so this approach can't be used universally for real external targets. Therefore, the fake DNS mechanism is conditionally enabled with the new flag --external-target-fake-dns. It allows to enable it in CI workflows where external targets are under control and can provide correct TLS certificates, and disable it when used with arbitrary external servers (in which case the user still has to ensure that the hostname suffixes are different). Signed-off-by: Alice Mikityanska <alice@isovalent.com> Suggested-by: James Laverack <laverack@cisco.com>
Create the generic-external-targets GitHub action to be used in more workflows. Unlike kind-external-targerts, this one doesn't assume Kind, deploys two external targets on nodes without Cilium, and provides DNS hostnames for them via headless services. It should work in a wider range of environments, but as a downside requires two extra nodes. Signed-off-by: Alice Mikityanska <alice@isovalent.com>
They will be used to deploy fake external targets. Signed-off-by: Alice Mikityanska <alice@isovalent.com>
Use the new generic-external-targets GitHub action in the GKE workflow, removing dependency on external servers that aren't under our control. Signed-off-by: Alice Mikityanska <alice@isovalent.com>
Before checking out the pull request branch, store GitHub actions from the target branch, so that untrusted code from pull requests can't perform malicious actions in our GKE environment. Signed-off-by: Alice Mikityanska <alice@isovalent.com>
Contributor
Author
|
/ci-gke |
Contributor
Author
|
/test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.