Pipeline changes to test cilium nodesubnet clusters (#3031)

* feat: pipeline changes to test cilium nodesubnet clusters

* Update name

* refactor: remove windows changes

* refactor: Accept John's comment.

Co-authored-by: John Payne <[email protected]>
Signed-off-by: Santhosh  Prabhu  <[email protected]>

* refactor: move common tests out to separate template

* refactor: address John's comments

* refactor: move interface update to golang

* fix: add retries to update code

* refactor: move ip config update script

* tie ip config count to scale up

* fix: handle empty scale up

* fix: return errors from command run

* fix: escape single quotes in network profile json

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Santhosh  Prabhu  <[email protected]>

* fix typo

* fix: fix makefile target

* fix: fix env variables

* chore: rollback

---------

Signed-off-by: Santhosh  Prabhu  <[email protected]>
Co-authored-by: John Payne <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: 3 people

.pipelines/singletenancy/cilium-nodesubnet/cilium-nodesubnet-e2e-job-template.yaml

@@ -0,0 +1,90 @@
+parameters:
+  dependsOn: ""
+  name: "cilium_nodesubnet_e2e"
+  clusterType: "nodesubnet-byocni-nokubeproxy-up"
+  clusterName: "cilndsubnete2e"
+  vmSize: ""
+  os: "linux"
+  arch: ""
+  osSKU: Ubuntu
+  hubbleEnabled: false
+  dualstackVersion: ""
+  cni: "cilium"
+
+stages:
+  - stage: ${{ parameters.clusterName }}
+    displayName: Create Cluster - ${{ parameters.displayName }}
+    dependsOn:
+      - ${{ parameters.dependsOn }}
+      - setup
+    pool:
+      name: $(BUILD_POOL_NAME_DEFAULT)
+    variables:
+      commitID: $[ stagedependencies.setup.env.outputs['EnvironmentalVariables.commitID'] ]
+    jobs:
+      - template: ../../templates/create-cluster.yaml
+        parameters:
+          name: ${{ parameters.name }}
+          displayName: ${{ parameters.displayName }}
+          clusterType: ${{ parameters.clusterType }}
+          clusterName: ${{ parameters.clusterName }}-$(commitID)
+          vmSize: ${{ parameters.vmSize }}
+          region: $(REGION_AKS_CLUSTER_TEST)
+
+  - stage: ${{ parameters.name }}
+    displayName: E2E - ${{ parameters.displayName }}
+    variables:
+      TAG: $[ stagedependencies.setup.env.outputs['EnvironmentalVariables.Tag'] ]
+      CURRENT_VERSION: $[ stagedependencies.containerize.check_tag.outputs['CurrentTagManifests.currentTagManifests'] ]
+      commitID: $[ stagedependencies.setup.env.outputs['EnvironmentalVariables.commitID'] ]
+      GOPATH: "$(Agent.TempDirectory)/go" # Go workspace path
+      GOBIN: "$(GOPATH)/bin" # Go binaries path
+      modulePath: "$(GOPATH)/src/github.com/Azure/azure-container-networking"
+    condition: and(succeeded(), eq(variables.TAG, variables.CURRENT_VERSION))
+    dependsOn:
+    - setup
+    - publish
+    - ${{ parameters.clusterName }}
+    pool:
+      name: $(BUILD_POOL_NAME_DEFAULT)
+    jobs:
+      - job: ${{ parameters.name }}
+        displayName: Nodesubnet with Cilium - (${{ parameters.name }})
+        pool:
+          name: $(BUILD_POOL_NAME_DEFAULT)
+          demands:
+          - agent.os -equals Linux
+          - Role -equals $(CUSTOM_E2E_ROLE)
+        steps:
+          - template: cilium-nodesubnet-e2e-step-template.yaml
+            parameters:
+              name: ${{ parameters.name }}
+              clusterName: ${{ parameters.clusterName }}-$(commitID)
+              arch: ${{ parameters.arch }}
+              os: ${{ parameters.os }}
+              scaleup: ${{ parameters.scaleup }}
+
+      - template: ../../cni/k8s-e2e/k8s-e2e-job-template.yaml
+        parameters:
+          sub: $(BUILD_VALIDATIONS_SERVICE_CONNECTION)
+          clusterName: ${{ parameters.clusterName }}-$(commitID)
+          os: ${{ parameters.os }}
+          datapath: true
+          dns: true
+          portforward: true
+          service: true
+          hostport: true
+          dependsOn: ${{ parameters.name }}
+
+      - job: failedE2ELogs
+        displayName: "Failure Logs"
+        dependsOn:
+          - ${{ parameters.name }}
+          - cni_${{ parameters.os }}
+        condition: failed()
+        steps:
+          - template: ../../templates/log-template.yaml
+            parameters:
+              clusterName: ${{ parameters.clusterName }}-$(commitID)
+              os: ${{ parameters.os }}
+              cni: cilium

.pipelines/singletenancy/cilium-nodesubnet/cilium-nodesubnet-e2e-step-template.yaml

@@ -0,0 +1,85 @@
+parameters:
+  name: ""
+  clusterName: ""
+  scaleup: ""
+
+steps:
+  - bash: |
+      echo $UID
+      sudo rm -rf $(System.DefaultWorkingDirectory)/*
+    displayName: "Set up OS environment"
+
+  - checkout: self
+
+  - bash: |
+      go version
+      go env
+      mkdir -p '$(GOBIN)'
+      mkdir -p '$(GOPATH)/pkg'
+      mkdir -p '$(modulePath)'
+      echo '##vso[task.prependpath]$(GOBIN)'
+      echo '##vso[task.prependpath]$(GOROOT)/bin'
+    name: "GoEnv"
+    displayName: "Set up the Go environment"
+
+  - task: AzureCLI@2
+    displayName: 'Update IP configs'
+    inputs:
+      azureSubscription: $(BUILD_VALIDATIONS_SERVICE_CONNECTION)
+      scriptLocation: "inlineScript"
+      scriptType: "bash"
+      addSpnToEnvironment: true
+      inlineScript: |
+          set -e
+          clusterName=${{ parameters.clusterName }}
+          SCALE_UP=${{ parameters.scaleup }}
+          if [ -z "$SCALE_UP" ]; then
+            SCALE_UP=32
+          fi
+          SECONDARY_IP_COUNT=$((SCALE_UP * 2)) \
+          RESOURCE_GROUP="MC_${clusterName}_${clusterName}_$(REGION_AKS_CLUSTER_TEST)" \
+          go run $(Build.SourcesDirectory)/test/integration/cilium-nodesubnet/ipconfigupdate.go
+
+  - task: KubectlInstaller@0
+    inputs:
+      kubectlVersion: latest
+
+  - task: AzureCLI@2
+    inputs:
+      azureSubscription: $(BUILD_VALIDATIONS_SERVICE_CONNECTION)
+      scriptLocation: "inlineScript"
+      scriptType: "bash"
+      addSpnToEnvironment: true
+      inlineScript: |
+        set -e
+        make -C ./hack/aks set-kubeconf AZCLI=az CLUSTER=${{ parameters.clusterName }}
+        ls -lah      
+        pwd
+        kubectl cluster-info
+        kubectl get po -owide -A
+        echo "install Cilium ${CILIUM_VERSION_TAG}"
+        export DIR=${CILIUM_VERSION_TAG%.*}
+        echo "installing files from ${DIR}"
+        echo "deploy Cilium ConfigMap"
+        kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-config/cilium-config.yaml
+        # Passes Cilium image to daemonset and deployment
+        kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-agent/files
+        kubectl apply -f test/integration/manifests/cilium/v${DIR}/cilium-operator/files
+
+        envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY}' < test/integration/manifests/cilium/v${DIR}/cilium-agent/templates/daemonset.yaml | kubectl apply -f -
+        envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY}' < test/integration/manifests/cilium/v${DIR}/cilium-operator/templates/deployment.yaml | kubectl apply -f -
+        kubectl get po -owide -A
+    name: "installCilium"
+    displayName: "Install Cilium"
+
+  - template: ../../templates/cilium-cli.yaml
+
+  - script: |
+      echo "Start Nodesubnet E2E Tests"
+      kubectl get po -owide -A
+      sudo -E env "PATH=$PATH" make test-load SCALE_UP=32 OS_TYPE=linux VALIDATE_STATEFILE=true INSTALL_CNS=true INSTALL_CNS_NODESUBNET=true AZURE_IPAM_VERSION=$(make azure-ipam-version) CNS_VERSION=$(make cns-version) CLEANUP=true
+    retryCountOnTaskFailure: 3
+    name: "nodeSubnetE2ETests"
+    displayName: "Run NodeSubnet E2E"
+  
+  - template: ../../templates/cilium-tests.yaml

.pipelines/singletenancy/cilium/cilium-e2e-step-template.yaml

@@ -64,88 +64,4 @@ steps:
     name: "aziliumTest"
     displayName: "Run Azilium E2E"
 
-  - script: |
-      kubectl get po -owide -A
-      echo "Waiting < 2 minutes for cilium to be ready"
-      # Ensure Cilium is ready Xm\Xs
-      cilium status --wait --wait-duration 2m
-    retryCountOnTaskFailure: 3
-    name: "CiliumStatus"
-    displayName: "Cilium Status"
-
-  - task: AzureCLI@1
-    inputs:
-      azureSubscription: $(BUILD_VALIDATIONS_SERVICE_CONNECTION)
-      scriptLocation: "inlineScript"
-      scriptType: "bash"
-      addSpnToEnvironment: true
-      inlineScript: |
-        set -e
-        kubectl get po -owide -A
-        clusterName=${{ parameters.clusterName }}
-        echo "Restarting nodes"
-        for val in $(az vmss list -g MC_${clusterName}_${clusterName}_$(REGION_AKS_CLUSTER_TEST) --query "[].name" -o tsv); do
-          make -C ./hack/aks restart-vmss AZCLI=az CLUSTER=${clusterName} REGION=$(REGION_AKS_CLUSTER_TEST) VMSS_NAME=${val}
-        done
-    displayName: "Restart Nodes"
-
-  - task: AzureCLI@1
-    inputs:
-      azureSubscription: $(BUILD_VALIDATIONS_SERVICE_CONNECTION)
-      scriptLocation: "inlineScript"
-      scriptType: "bash"
-      addSpnToEnvironment: true
-      inlineScript: |
-        cd test/integration/load
-
-        # Scale Cluster Up/Down to confirm functioning CNS
-        ITERATIONS=2 SCALE_UP=${{ parameters.scaleup }} OS_TYPE=linux go test -count 1 -timeout 30m -tags load -run ^TestLoad$
-        kubectl get pods -owide -A
-
-        cd ../../..
-        echo "Validating Node Restart"
-        make test-validate-state OS_TYPE=linux RESTART_CASE=true
-        kubectl delete ns load-test
-    displayName: "Validate Node Restart"
-    retryCountOnTaskFailure: 3
-
-  - script: |
-      echo "Run Cilium Connectivity Tests"
-      cilium status
-      cilium connectivity test --connect-timeout 4s --request-timeout 30s --test '!pod-to-pod-encryption,!node-to-node-encryption' --force-deploy
-      ns=`kubectl get ns | grep cilium-test | awk '{print $1}'`
-      echo "##vso[task.setvariable variable=ciliumNamespace]$ns"
-    retryCountOnTaskFailure: 3
-    name: "ciliumConnectivityTests"
-    displayName: "Run Cilium Connectivity Tests"
-
-  - script: |
-      echo "validate pod IP assignment and check systemd-networkd restart"
-      kubectl get pod -owide -A
-      # Deleting echo-external-node deployment until cilium version matches TODO. https://github.com/cilium/cilium-cli/issues/67 is addressing the change.
-      # Saves 17 minutes
-      kubectl delete deploy -n $(ciliumNamespace) echo-external-node
-      make test-validate-state
-      echo "delete cilium connectivity test resources and re-validate state"
-      kubectl delete ns $(ciliumNamespace)
-      kubectl get pod -owide -A
-      make test-validate-state
-    name: "validatePods"
-    displayName: "Validate Pods"
-
-  - script: |
-      echo "Run wireserver and metadata connectivity Tests"
-      bash test/network/wireserver_metadata_test.sh
-    retryCountOnTaskFailure: 3
-    name: "WireserverMetadataConnectivityTests"
-    displayName: "Run Wireserver and Metadata Connectivity Tests"
-
-  - script: |
-      cd hack/scripts
-      chmod +x async-delete-test.sh
-      ./async-delete-test.sh
-      if ! [ -z $(kubectl -n kube-system get ds  azure-cns | grep non-existing) ]; then
-        kubectl -n kube-system patch daemonset azure-cns --type json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/non-existing"}]'
-      fi
-    name: "testAsyncDelete"
-    displayName: "Verify Async Delete when CNS is down"
+  - template: ../../templates/cilium-tests.yaml

.pipelines/templates/cilium-tests.yaml

@@ -0,0 +1,86 @@
+steps:
+  - script: |
+      kubectl get po -owide -A
+      echo "Waiting < 2 minutes for cilium to be ready"
+      # Ensure Cilium is ready Xm\Xs
+      cilium status --wait --wait-duration 2m
+    retryCountOnTaskFailure: 3
+    name: "CiliumStatus"
+    displayName: "Cilium Status"
+
+  - task: AzureCLI@2
+    inputs:
+      azureSubscription: $(BUILD_VALIDATIONS_SERVICE_CONNECTION)
+      scriptLocation: "inlineScript"
+      scriptType: "bash"
+      addSpnToEnvironment: true
+      inlineScript: |
+        set -e
+        kubectl get po -owide -A
+        clusterName=${{ parameters.clusterName }}
+        echo "Restarting nodes"
+        for val in $(az vmss list -g MC_${clusterName}_${clusterName}_$(REGION_AKS_CLUSTER_TEST) --query "[].name" -o tsv); do
+          make -C ./hack/aks restart-vmss AZCLI=az CLUSTER=${clusterName} REGION=$(REGION_AKS_CLUSTER_TEST) VMSS_NAME=${val}
+        done
+    displayName: "Restart Nodes"
+
+  - task: AzureCLI@2
+    inputs:
+      azureSubscription: $(BUILD_VALIDATIONS_SERVICE_CONNECTION)
+      scriptLocation: "inlineScript"
+      scriptType: "bash"
+      addSpnToEnvironment: true
+      inlineScript: |
+        cd test/integration/load
+
+        # Scale Cluster Up/Down to confirm functioning CNS
+        ITERATIONS=2 SCALE_UP=${{ parameters.scaleup }} OS_TYPE=linux go test -count 1 -timeout 30m -tags load -run ^TestLoad$
+        kubectl get pods -owide -A
+
+        cd ../../..
+        echo "Validating Node Restart"
+        make test-validate-state OS_TYPE=linux RESTART_CASE=true
+        kubectl delete ns load-test
+    displayName: "Validate Node Restart"
+    retryCountOnTaskFailure: 3
+
+  - script: |
+      echo "Run Cilium Connectivity Tests"
+      cilium status
+      cilium connectivity test --connect-timeout 4s --request-timeout 30s --test '!pod-to-pod-encryption,!node-to-node-encryption' --force-deploy
+      ns=`kubectl get ns | grep cilium-test | awk '{print $1}'`
+      echo "##vso[task.setvariable variable=ciliumNamespace]$ns"
+    retryCountOnTaskFailure: 3
+    name: "ciliumConnectivityTests"
+    displayName: "Run Cilium Connectivity Tests"
+
+  - script: |
+      echo "validate pod IP assignment and check systemd-networkd restart"
+      kubectl get pod -owide -A
+      # Deleting echo-external-node deployment until cilium version matches TODO. https://github.com/cilium/cilium-cli/issues/67 is addressing the change.
+      # Saves 17 minutes
+      kubectl delete deploy -n $(ciliumNamespace) echo-external-node
+      make test-validate-state
+      echo "delete cilium connectivity test resources and re-validate state"
+      kubectl delete ns $(ciliumNamespace)
+      kubectl get pod -owide -A
+      make test-validate-state
+    name: "validatePods"
+    displayName: "Validate Pods"
+
+  - script: |
+      echo "Run wireserver and metadata connectivity Tests"
+      bash test/network/wireserver_metadata_test.sh
+    retryCountOnTaskFailure: 3
+    name: "WireserverMetadataConnectivityTests"
+    displayName: "Run Wireserver and Metadata Connectivity Tests"
+
+  - script: |
+      cd hack/scripts
+      chmod +x async-delete-test.sh
+      ./async-delete-test.sh
+      if ! [ -z $(kubectl -n kube-system get ds  azure-cns | grep non-existing) ]; then
+        kubectl -n kube-system patch daemonset azure-cns --type json -p='[{"op": "remove", "path": "/spec/template/spec/nodeSelector/non-existing"}]'
+      fi
+    name: "testAsyncDelete"
+    displayName: "Verify Async Delete when CNS is down"

hack/aks/Makefile

@@ -95,6 +95,24 @@ byocni-up: swift-byocni-up ## Alias to swift-byocni-up
 cilium-up: swift-cilium-up ## Alias to swift-cilium-up
 up: swift-up ## Alias to swift-up
 
+
+nodesubnet-byocni-nokubeproxy-up: rg-up overlay-net-up ## Brings up an NodeSubnet BYO CNI cluster without kube-proxy
+	$(AZCLI) aks create -n $(CLUSTER) -g $(GROUP) -l $(REGION) \
+		--auto-upgrade-channel $(AUTOUPGRADE) \
+		--node-os-upgrade-channel $(NODEUPGRADE) \
+		--kubernetes-version $(K8S_VER) \
+		--node-count $(NODE_COUNT) \
+		--node-vm-size $(VM_SIZE) \
+		--load-balancer-sku basic \
+		--max-pods 250 \
+		--network-plugin none \
+		--vnet-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/nodenet \
+		--os-sku $(OS_SKU) \
+		--no-ssh-key \
+		--kube-proxy-config ./kube-proxy.json \
+		--yes
+	@$(MAKE) set-kubeconf
+
 overlay-byocni-up: rg-up overlay-net-up ## Brings up an Overlay BYO CNI cluster
 	$(AZCLI) aks create -n $(CLUSTER) -g $(GROUP) -l $(REGION) \
 		--auto-upgrade-channel $(AUTOUPGRADE) \