From 3991c58a227d833d072e4ad63debe6206a6b167b Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Fri, 16 May 2025 21:23:42 +0000 Subject: [PATCH 1/6] chore: update nightly manifests from v1.14 > match v1.17 (latest available) --- .../cilium-nightly-agent/clusterrole.yaml | 14 +++- .../clusterrolebinding.yaml | 2 + .../cilium/cilium-nightly-config.yaml | 68 ++++++++++++++++--- .../cilium-nightly-operator/clusterrole.yaml | 60 +++++++++++++++- .../manifests/cilium/daemonset.yaml | 42 ++++-------- .../manifests/cilium/deployment.yaml | 44 ++++++++++++ 6 files changed, 185 insertions(+), 45 deletions(-) diff --git a/test/integration/manifests/cilium/cilium-nightly-agent/clusterrole.yaml b/test/integration/manifests/cilium/cilium-nightly-agent/clusterrole.yaml index 7dbdd42326..2bc15412c0 100644 --- a/test/integration/manifests/cilium/cilium-nightly-agent/clusterrole.yaml +++ b/test/integration/manifests/cilium/cilium-nightly-agent/clusterrole.yaml @@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium + labels: + app.kubernetes.io/part-of: cilium rules: - apiGroups: - networking.k8s.io @@ -45,8 +47,6 @@ rules: - apiGroups: - cilium.io resources: - #Naming changed from ciliumbgploadbalancerippools - - ciliumloadbalancerippools - ciliumbgppeeringpolicies - ciliumclusterwideenvoyconfigs - ciliumclusterwidenetworkpolicies @@ -59,8 +59,13 @@ rules: - ciliumnetworkpolicies - ciliumnodes - ciliumnodeconfigs - #Added in 1.14.0 snapshot 2 + - ciliumloadbalancerippools - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs verbs: - list - watch @@ -74,6 +79,7 @@ rules: - create - apiGroups: - cilium.io + # To synchronize garbage collection of such resources resources: - ciliumidentities verbs: @@ -100,5 +106,7 @@ rules: - ciliumclusterwidenetworkpolicies/status - ciliumendpoints/status - ciliumendpoints + - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status verbs: - patch diff --git a/test/integration/manifests/cilium/cilium-nightly-agent/clusterrolebinding.yaml b/test/integration/manifests/cilium/cilium-nightly-agent/clusterrolebinding.yaml index f5d39b0ffd..93a6e06cdc 100644 --- a/test/integration/manifests/cilium/cilium-nightly-agent/clusterrolebinding.yaml +++ b/test/integration/manifests/cilium/cilium-nightly-agent/clusterrolebinding.yaml @@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cilium + labels: + app.kubernetes.io/part-of: cilium roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/test/integration/manifests/cilium/cilium-nightly-config.yaml b/test/integration/manifests/cilium/cilium-nightly-config.yaml index 24a9f43839..4512e00862 100644 --- a/test/integration/manifests/cilium/cilium-nightly-config.yaml +++ b/test/integration/manifests/cilium/cilium-nightly-config.yaml @@ -1,4 +1,4 @@ -apiVersion: v1 +apiVersion: v1 #Not verified, placeholder data: agent-not-ready-taint-key: node.cilium.io/agent-not-ready arping-refresh-period: 30s @@ -9,7 +9,6 @@ data: bpf-map-dynamic-size-ratio: "0.0025" bpf-policy-map-max: "16384" bpf-root: /sys/fs/bpf - ces-slice-mode: fcfs cgroup-root: /run/cilium/cgroupv2 cilium-endpoint-gc-interval: 5m0s cluster-id: "0" @@ -20,7 +19,6 @@ data: enable-auto-protect-node-port-range: "true" enable-bgp-control-plane: "false" enable-bpf-clock-probe: "true" - enable-cilium-endpoint-slice: "true" enable-endpoint-health-checking: "false" enable-endpoint-routes: "true" enable-health-check-nodeport: "true" @@ -35,7 +33,7 @@ data: enable-l2-neigh-discovery: "true" enable-l7-proxy: "false" enable-local-node-route: "false" - enable-local-redirect-policy: "true" + enable-local-redirect-policy: "true" # set to true for lrp test enable-metrics: "true" enable-policy: default enable-session-affinity: "true" @@ -48,7 +46,7 @@ data: install-no-conntrack-iptables-rules: "false" ipam: delegated-plugin kube-proxy-replacement: "true" - kube-proxy-replacement-healthz-bind-address: "" + kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256" local-router-ipv4: 169.254.23.0 metrics: +cilium_bpf_map_pressure monitor-aggregation: medium @@ -63,21 +61,73 @@ data: prometheus-serve-addr: :9962 remove-cilium-node-taints: "true" set-cilium-is-up-condition: "true" + sidecar-istio-proxy-image: cilium/istio_proxy synchronize-k8s-nodes: "true" tofqdns-dns-reject-response-code: refused tofqdns-enable-dns-compression: "true" - tofqdns-endpoint-max-ip-per-hostname: "50" + tofqdns-endpoint-max-ip-per-hostname: "1000" tofqdns-idle-connection-grace-period: 0s tofqdns-max-deferred-connection-deletes: "10000" - tofqdns-min-ttl: "3600" + tofqdns-min-ttl: "0" tofqdns-proxy-response-max-delay: 100ms - #Replaces tunnel: disabled in v1.15 - routing-mode: "native" + routing-mode: native unmanaged-pod-watcher-interval: "15" vtep-cidr: "" vtep-endpoint: "" vtep-mac: "" vtep-mask: "" + enable-sctp: "false" + external-envoy-proxy: "false" + k8s-client-qps: "10" + k8s-client-burst: "20" + mesh-auth-enabled: "true" + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + mesh-auth-gc-interval: "5m0s" + proxy-connect-timeout: "2" + proxy-max-requests-per-connection: "0" + proxy-max-connection-duration-seconds: "0" + set-cilium-node-taints: "true" + unmanaged-pod-watcher-interval: "15" +## new values added for 1.16 below + enable-ipv4-big-tcp: "false" + enable-ipv6-big-tcp: "false" + enable-masquerade-to-route-source: "false" + enable-health-check-loadbalancer-ip: "false" + bpf-lb-acceleration: "disabled" + enable-k8s-networkpolicy: "true" + cni-exclusive: "false" # Cilium takes ownership of /etc/cni/net.d, pods cannot be scheduled with any other cni if cilium is down + cni-log-file: "/var/run/cilium/cilium-cni.log" + ipam-cilium-node-update-rate: "15s" + egress-gateway-reconciliation-trigger-interval: "1s" + nat-map-stats-entries: "32" + nat-map-stats-interval: "30s" + bpf-events-drop-enabled: "true" # exposes drop events to cilium monitor/hubble + bpf-events-policy-verdict-enabled: "true" # exposes policy verdict events to cilium monitor/hubble + bpf-events-trace-enabled: "true" # exposes trace events to cilium monitor/hubble + enable-tcx: "false" # attach endpoint programs with tcx if supported by kernel + datapath-mode: "veth" + direct-routing-skip-unreachable: "false" + enable-runtime-device-detection: "false" + bpf-lb-sock: "false" + bpf-lb-sock-terminate-pod-connections: "false" + nodeport-addresses: "" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + enable-node-selector-labels: "false" +## new values for 1.17 + ces-slice-mode: "fcfs" + enable-cilium-endpoint-slice: "true" + bpf-lb-source-range-all-types: "false" + bpf-algorithm-annotation: "false" + bpf-lb-mode-annotation: "false" + enable-experimental-lb: "false" + enable-endpoint-lockdown-on-policy-overflow: "false" + health-check-icmp-failure-threshold: "3" + enable-internal-traffic-policy: "true" + enable-lb-ipam: "true" + enable-non-default-deny-policies: "true" + enable-source-ip-verification: "true" kind: ConfigMap metadata: annotations: diff --git a/test/integration/manifests/cilium/cilium-nightly-operator/clusterrole.yaml b/test/integration/manifests/cilium/cilium-nightly-operator/clusterrole.yaml index 8c12e05729..329cc07f5d 100644 --- a/test/integration/manifests/cilium/cilium-nightly-operator/clusterrole.yaml +++ b/test/integration/manifests/cilium/cilium-nightly-operator/clusterrole.yaml @@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-operator + labels: + app.kubernetes.io/part-of: cilium rules: - apiGroups: - "" @@ -14,6 +16,15 @@ rules: # to automatically delete [core|kube]dns pods so that are starting to being # managed by Cilium - delete +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - cilium-config + verbs: + # allow patching of the configmap to set annotations + - patch - apiGroups: - "" resources: @@ -51,6 +62,7 @@ rules: resources: # to check apiserver connectivity - namespaces + - secrets verbs: - get - list @@ -87,6 +99,7 @@ rules: - ciliumclusterwidenetworkpolicies/status verbs: # Update the auto-generated CNPs and CCNPs status. + - patch - update - apiGroups: - cilium.io @@ -103,6 +116,7 @@ rules: resources: - ciliumidentities verbs: + # To synchronize garbage collection of such resources - update - apiGroups: - cilium.io @@ -127,6 +141,9 @@ rules: resources: - ciliumendpointslices - ciliumenvoyconfigs + - ciliumbgppeerconfigs + - ciliumbgpadvertisements + - ciliumbgpnodeconfigs verbs: - create - update @@ -135,6 +152,13 @@ rules: - watch - delete - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update - apiGroups: - apiextensions.k8s.io resources: @@ -153,10 +177,14 @@ rules: resourceNames: - ciliumloadbalancerippools.cilium.io - ciliumbgppeeringpolicies.cilium.io + - ciliumbgpclusterconfigs.cilium.io + - ciliumbgppeerconfigs.cilium.io + - ciliumbgpadvertisements.cilium.io + - ciliumbgpnodeconfigs.cilium.io + - ciliumbgpnodeconfigoverrides.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io - - ciliumegressnatpolicies.cilium.io - ciliumendpoints.cilium.io - ciliumendpointslices.cilium.io - ciliumenvoyconfigs.cilium.io @@ -166,8 +194,34 @@ rules: - ciliumnetworkpolicies.cilium.io - ciliumnodes.cilium.io - ciliumnodeconfigs.cilium.io - #Added in 1.14.0 snapshot 2 - ciliumcidrgroups.cilium.io + - ciliuml2announcementpolicies.cilium.io + - ciliumpodippools.cilium.io +- apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools + - ciliumpodippools + - ciliumbgppeeringpolicies + - ciliumbgpclusterconfigs + - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs + verbs: + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumpodippools + verbs: + - create +- apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools/status + verbs: + - patch # For cilium-operator running in HA mode. # # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election @@ -181,4 +235,4 @@ rules: verbs: - create - get - - update + - update \ No newline at end of file diff --git a/test/integration/manifests/cilium/daemonset.yaml b/test/integration/manifests/cilium/daemonset.yaml index 745ae830fb..f3e6e7093f 100644 --- a/test/integration/manifests/cilium/daemonset.yaml +++ b/test/integration/manifests/cilium/daemonset.yaml @@ -7,6 +7,7 @@ metadata: labels: app.kubernetes.io/managed-by: Helm k8s-app: cilium + app.kubernetes.io/part-of: cilium name: cilium namespace: kube-system spec: @@ -38,12 +39,6 @@ spec: operator: In values: - linux - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - k8s-app: cilium - topologyKey: kubernetes.io/hostname containers: - args: - --config-dir=/tmp/cilium/config-map @@ -98,7 +93,7 @@ spec: timeoutSeconds: 5 resources: {} securityContext: - appArmorProfile: + appArmorProfile: type: Unconfined capabilities: add: @@ -157,6 +152,9 @@ spec: readOnly: true - mountPath: /run/xtables.lock name: xtables-lock + - mountPath: /var/run/cilium/netns + name: cilium-netns + mountPropagation: HostToContainer dnsPolicy: ClusterFirst hostNetwork: true initContainers: @@ -195,7 +193,7 @@ spec: name: mount-cgroup resources: {} securityContext: - appArmorProfile: + appArmorProfile: type: Unconfined capabilities: add: @@ -229,7 +227,7 @@ spec: name: apply-sysctl-overwrites resources: {} securityContext: - appArmorProfile: + appArmorProfile: type: Unconfined capabilities: add: @@ -289,7 +287,7 @@ spec: cpu: 100m memory: 100Mi securityContext: - appArmorProfile: + appArmorProfile: type: Unconfined capabilities: add: @@ -312,26 +310,6 @@ spec: name: cilium-cgroup - mountPath: /var/run/cilium name: cilium-run - - command: - - bash - - -cex - - | - export LD_LIBRARY_PATH=/host/lib/systemd:/host/usr/lib/aarch64-linux-gnu:/host/usr/lib/x86_64-linux-gnu - export SYSTEMD_VERSION="$(/host/lib/systemd/systemd --version | head -n 1 | cut -d' ' -f2)" - [[ $SYSTEMD_VERSION -ge 249 ]] && { - mkdir -p /host/etc/systemd/networkd.conf.d - echo -e "[Network]\nManageForeignRoutes=no\nManageForeignRoutingPolicyRules=no\n" \ - >/host/etc/systemd/networkd.conf.d/99-cilium-foreign-routes.conf - chmod -R u+rwX,go+rX /host/etc/systemd/networkd.conf.d - } || exit 0 - image: mcr.microsoft.com/cbl-mariner/base/core:2.0 - imagePullPolicy: IfNotPresent - name: systemd-networkd-overrides - resources: {} - securityContext: - privileged: true - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File volumeMounts: - mountPath: /host/etc/systemd name: host-etc-systemd @@ -440,6 +418,10 @@ spec: path: /proc/sys/kernel type: Directory name: host-proc-sys-kernel + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns updateStrategy: rollingUpdate: maxSurge: 0 diff --git a/test/integration/manifests/cilium/deployment.yaml b/test/integration/manifests/cilium/deployment.yaml index 2842221eee..0b1a497bd2 100644 --- a/test/integration/manifests/cilium/deployment.yaml +++ b/test/integration/manifests/cilium/deployment.yaml @@ -38,6 +38,8 @@ spec: - --debug=$(CILIUM_DEBUG) - --identity-gc-interval=0m20s - --identity-heartbeat-timeout=0m20s + - --enable-cilium-endpoint-slice=true + - --ces-slice-mode=fcfs env: - name: K8S_NODE_NAME valueFrom: @@ -60,6 +62,44 @@ spec: containerPort: 9963 hostPort: 9963 protocol: TCP + securityContext: + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Use to set socket permission + - CHOWN + # Used to terminate envoy child process + - KILL + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used since cilium creates raw sockets, etc... + - NET_RAW + # Used since cilium monitor uses mmap + - IPC_LOCK + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL livenessProbe: httpGet: host: "127.0.0.1" @@ -112,6 +152,10 @@ spec: tolerations: - key: "CriticalAddonsOnly" operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule volumes: # To read the configuration from the config map - name: cilium-config-path From 486571857342e48deccd42c404a620400883bef6 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Fri, 16 May 2025 21:57:47 +0000 Subject: [PATCH 2/6] fix: update clusterrole with cilium-config --- .../cilium/cilium-nightly-agent/clusterrole.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/test/integration/manifests/cilium/cilium-nightly-agent/clusterrole.yaml b/test/integration/manifests/cilium/cilium-nightly-agent/clusterrole.yaml index 2bc15412c0..b718138c9e 100644 --- a/test/integration/manifests/cilium/cilium-nightly-agent/clusterrole.yaml +++ b/test/integration/manifests/cilium/cilium-nightly-agent/clusterrole.yaml @@ -110,3 +110,12 @@ rules: - ciliumbgpnodeconfigs/status verbs: - patch +- apiGroups: + - "" + resourceNames: + - cilium-config + resources: + - configmaps + verbs: + - list + - watch From 42ead0d7e160e90e954f5d0f14f491b282842af8 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Mon, 19 May 2025 20:54:35 +0000 Subject: [PATCH 3/6] chore: update hubble dir path --- .../cilium-overlay-e2e-step-template.yaml | 5 +++-- .../cilium-overlay-withhubble/cilium-overlay-e2e.steps.yaml | 4 +++- .../cilium-overlay/cilium-overlay-e2e-step-template.yaml | 4 +++- .../cilium-overlay/cilium-overlay-e2e.steps.yaml | 4 +++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.pipelines/singletenancy/cilium-overlay-withhubble/cilium-overlay-e2e-step-template.yaml b/.pipelines/singletenancy/cilium-overlay-withhubble/cilium-overlay-e2e-step-template.yaml index 7a81685b85..3556ca63b8 100644 --- a/.pipelines/singletenancy/cilium-overlay-withhubble/cilium-overlay-e2e-step-template.yaml +++ b/.pipelines/singletenancy/cilium-overlay-withhubble/cilium-overlay-e2e-step-template.yaml @@ -124,9 +124,10 @@ steps: - ${{ if eq( parameters['testHubble'], true) }}: - script: | - echo "enable Hubble metrics server" + export CILIUM_VERSION_TAG=${CILIUM_HUBBLE_VERSION_TAG} + export DIR=$(echo ${CILIUM_VERSION_TAG#v} | cut -d. -f1,2) kubectl apply -f test/integration/manifests/cilium/hubble/hubble-peer-svc.yaml - kubectl apply -f test/integration/manifests/cilium/v1.14.4/cilium-config/cilium-config-hubble.yaml + kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-config/cilium-config-hubble.yaml kubectl rollout restart ds cilium -n kube-system echo "wait <3 minutes for pods to be ready after restart" kubectl rollout status ds cilium -n kube-system --timeout=3m diff --git a/.pipelines/singletenancy/cilium-overlay-withhubble/cilium-overlay-e2e.steps.yaml b/.pipelines/singletenancy/cilium-overlay-withhubble/cilium-overlay-e2e.steps.yaml index 6856847c1e..833e722f6f 100644 --- a/.pipelines/singletenancy/cilium-overlay-withhubble/cilium-overlay-e2e.steps.yaml +++ b/.pipelines/singletenancy/cilium-overlay-withhubble/cilium-overlay-e2e.steps.yaml @@ -123,8 +123,10 @@ steps: - ${{ if eq( parameters['testHubble'], true) }}: - script: | echo "enable Hubble metrics server" + export CILIUM_VERSION_TAG=${CILIUM_HUBBLE_VERSION_TAG} + export DIR=$(echo ${CILIUM_VERSION_TAG#v} | cut -d. -f1,2) kubectl apply -f test/integration/manifests/cilium/hubble/hubble-peer-svc.yaml - kubectl apply -f test/integration/manifests/cilium/v1.14.4/cilium-config/cilium-config-hubble.yaml + kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-config/cilium-config-hubble.yaml kubectl rollout restart ds cilium -n kube-system echo "wait <3 minutes for pods to be ready after restart" kubectl rollout status ds cilium -n kube-system --timeout=3m diff --git a/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml b/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml index 7444ef1d98..8e42752129 100644 --- a/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml +++ b/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml @@ -158,8 +158,10 @@ steps: - ${{ if eq( parameters['testHubble'], true) }}: - script: | echo "enable Hubble metrics server" + export CILIUM_VERSION_TAG=${CILIUM_HUBBLE_VERSION_TAG} + export DIR=$(echo ${CILIUM_VERSION_TAG#v} | cut -d. -f1,2) kubectl apply -f test/integration/manifests/cilium/hubble/hubble-peer-svc.yaml - kubectl apply -f test/integration/manifests/cilium/cilium-config-hubble.yaml + kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-config/cilium-config-hubble.yaml kubectl rollout restart ds cilium -n kube-system echo "wait <3 minutes for pods to be ready after restart" kubectl rollout status ds cilium -n kube-system --timeout=3m diff --git a/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e.steps.yaml b/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e.steps.yaml index c82bafb9a8..7cf7a5678a 100644 --- a/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e.steps.yaml +++ b/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e.steps.yaml @@ -156,8 +156,10 @@ steps: - ${{ if eq( parameters['testHubble'], true) }}: - script: | echo "enable Hubble metrics server" + export CILIUM_VERSION_TAG=${CILIUM_HUBBLE_VERSION_TAG} + export DIR=$(echo ${CILIUM_VERSION_TAG#v} | cut -d. -f1,2) kubectl apply -f test/integration/manifests/cilium/hubble/hubble-peer-svc.yaml - kubectl apply -f test/integration/manifests/cilium/cilium-config-hubble.yaml + kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-config/cilium-config-hubble.yaml kubectl rollout restart ds cilium -n kube-system echo "wait <3 minutes for pods to be ready after restart" kubectl rollout status ds cilium -n kube-system --timeout=3m From fac759c7a4a2fdfa79d03d7f4c48dd0ea045e067 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Mon, 19 May 2025 21:45:43 +0000 Subject: [PATCH 4/6] log file directory --- .../cilium-overlay/cilium-overlay-e2e-step-template.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml b/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml index 8e42752129..4a1c539019 100644 --- a/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml +++ b/.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml @@ -160,6 +160,7 @@ steps: echo "enable Hubble metrics server" export CILIUM_VERSION_TAG=${CILIUM_HUBBLE_VERSION_TAG} export DIR=$(echo ${CILIUM_VERSION_TAG#v} | cut -d. -f1,2) + echo "installing files from ${DIR}" kubectl apply -f test/integration/manifests/cilium/hubble/hubble-peer-svc.yaml kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-config/cilium-config-hubble.yaml kubectl rollout restart ds cilium -n kube-system From a204b1dd3dabca63f3ebe87ec531d768c9e68be8 Mon Sep 17 00:00:00 2001 From: Camryn Lee <31013536+camrynl@users.noreply.github.com> Date: Tue, 20 May 2025 10:17:43 -0700 Subject: [PATCH 5/6] Update test/integration/manifests/cilium/cilium-nightly-config.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Camryn Lee <31013536+camrynl@users.noreply.github.com> --- test/integration/manifests/cilium/cilium-nightly-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/test/integration/manifests/cilium/cilium-nightly-config.yaml b/test/integration/manifests/cilium/cilium-nightly-config.yaml index 4512e00862..f875fd6680 100644 --- a/test/integration/manifests/cilium/cilium-nightly-config.yaml +++ b/test/integration/manifests/cilium/cilium-nightly-config.yaml @@ -88,7 +88,6 @@ data: proxy-max-requests-per-connection: "0" proxy-max-connection-duration-seconds: "0" set-cilium-node-taints: "true" - unmanaged-pod-watcher-interval: "15" ## new values added for 1.16 below enable-ipv4-big-tcp: "false" enable-ipv6-big-tcp: "false" From f37180a3d937ea5350555342b6cc12a462100543 Mon Sep 17 00:00:00 2001 From: Camryn Lee Date: Tue, 20 May 2025 17:29:33 +0000 Subject: [PATCH 6/6] fix: cluster naming in log collection --- .pipelines/cni/cilium/nightly-release-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/cni/cilium/nightly-release-test.yml b/.pipelines/cni/cilium/nightly-release-test.yml index 2c32c11f36..4ed55d0742 100644 --- a/.pipelines/cni/cilium/nightly-release-test.yml +++ b/.pipelines/cni/cilium/nightly-release-test.yml @@ -159,7 +159,7 @@ stages: scriptType: "bash" addSpnToEnvironment: true inlineScript: | - make -C ./hack/aks set-kubeconf AZCLI=az CLUSTER=$(clusterName)-$(commitID) + make -C ./hack/aks set-kubeconf AZCLI=az CLUSTER=ciliumnightly-$(commitID) set -e echo "Run Cilium Connectivity Tests" @@ -171,7 +171,7 @@ stages: - template: ../../templates/log-check-template.yaml # Operator Check parameters: - clusterName: $(clusterName)-$(commitID) + clusterName: ciliumnightly-$(commitID) podLabel: "name=cilium-operator" logGrep: "level=error"