Add Cilium on AKS Overlay e2e scenario (#1609)

* add hack overlay make target and e2e templates

* update pipeline.yaml with new overlay stage

* use dropgz/overlay-byocni in acn pr and submodule pipeline

* name overlay clusters for submodule pipeline

* modify dropgz setup

* test ipam + overlay

* use azilium conflist

* add overlay configmap

* add deployment of ip-masq-agent to cluster

* set flag in ip-masq-agent deployment

* update deployment

* configmap creation

Author: camrynl

.pipelines/pipeline.yaml

@@ -282,6 +282,14 @@ stages:
       testDropgz: ""
       clusterName: "ciliume2e"
 
+  - template: singletenancy/overlay/overlay-e2e-job-template.yaml
+    parameters:
+      name: "overlay_e2e"
+      displayName: Cilium on AKS Overlay
+      pipelineBuildImage: "$(BUILD_IMAGE)"
+      testDropgz: ""
+      clusterName: "overlaye2e"
+
   - template: singletenancy/aks-swift/e2e-job-template.yaml
     parameters:
       name: "aks_swift_e2e"

.pipelines/singletenancy/overlay/overlay-e2e-job-template.yaml

@@ -0,0 +1,32 @@
+parameters:
+  name: ""
+  displayName: ""
+  pipelineBuildImage: "$(BUILD_IMAGE)"
+  testDropgz: ""
+  clusterName: ""
+
+stages:
+  - stage: ${{ parameters.name }}
+    displayName: E2E - ${{ parameters.displayName }}
+    dependsOn: 
+    - setup
+    - publish
+    jobs:
+      - job: ${{ parameters.name }}
+        displayName: Overlay Test Suite - (${{ parameters.name }})
+        timeoutInMinutes: 120
+        pool:
+          name: $(BUILD_POOL_NAME_DEFAULT)
+          demands: 
+          - agent.os -equals Linux
+          - Role -equals $(CUSTOM_E2E_ROLE)
+        variables:
+          GOPATH: "$(Agent.TempDirectory)/go" # Go workspace path
+          GOBIN: "$(GOPATH)/bin" # Go binaries path
+          modulePath: "$(GOPATH)/src/github.com/Azure/azure-container-networking"
+        steps:
+          - template: overlay-e2e-step-template.yaml
+            parameters:
+              name: ${{ parameters.name }}
+              testDropgz: ${{ parameters.testDropgz }}
+              clusterName: ${{ parameters.clusterName }}

.pipelines/singletenancy/overlay/overlay-e2e-step-template.yaml

@@ -0,0 +1,155 @@
+parameters:
+  name: ""
+  testDropgz: ""
+  clusterName: ""
+
+steps:
+  - bash: |
+      echo $UID
+      sudo rm -rf $(System.DefaultWorkingDirectory)/*
+    displayName: "Set up OS environment"
+
+  - checkout: self
+
+  - bash: |
+      go version
+      go env
+      mkdir -p '$(GOBIN)'
+      mkdir -p '$(GOPATH)/pkg'
+      mkdir -p '$(modulePath)'
+      echo '##vso[task.prependpath]$(GOBIN)'
+      echo '##vso[task.prependpath]$(GOROOT)/bin'
+    name: "GoEnv"
+    displayName: "Set up the Go environment"
+
+  - task: AzureCLI@1
+    inputs:
+      azureSubscription: $(AZURE_TEST_AGENT_SERVICE_CONNECTION)
+      scriptLocation: "inlineScript"
+      scriptType: "bash"
+      addSpnToEnvironment: true
+      inlineScript: |
+        mkdir -p ~/.kube/
+        echo "Create AKS Overlay cluster"
+        make -C ./hack/swift azcfg AZCLI=az REGION=$(REGION_OVERLAY_CLUSTER_TEST)
+        make -C ./hack/swift overlay-byocni-up AZCLI=az REGION=$(REGION_OVERLAY_CLUSTER_TEST) SUB=$(SUB_AZURE_NETWORK_AGENT_TEST) CLUSTER=${{ parameters.clusterName }}-$(make revision)
+        echo "Cluster successfully created"
+    displayName: Create Overlay cluster
+    condition: succeeded()
+
+  - script: |
+      ls -lah
+      pwd
+      echo "installing kubectl"
+      curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+      sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+      kubectl cluster-info
+      kubectl get po -owide -A
+      curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
+      chmod 700 get_helm.sh
+      ./get_helm.sh
+      echo "deploy Cilium ConfigMap"
+      kubectl apply -f cilium/configmap.yaml
+      echo "install Cilium onto Overlay Cluster"
+      helm repo add cilium https://helm.cilium.io/
+      helm install cilium cilium/cilium --version 1.12.1.1 --namespace kube-system -f cilium/cilium_helm_values.yaml
+    name: "installCilium"
+    displayName: "Install Cilium on AKS Overlay"
+
+  - script: | 
+      echo "install cilium CLI"
+      CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
+      CLI_ARCH=amd64
+      if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
+      curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
+      sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
+      sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
+      rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
+      cilium status
+    name: "installCiliumCLI"
+    displayName: "Install Cilium CLI"
+
+  - script: |
+      echo "install kubetest2 and gsutils"
+      go get github.com/onsi/ginkgo/ginkgo
+      go get github.com/onsi/gomega/...
+      go install github.com/onsi/ginkgo/ginkgo@latest
+      go install sigs.k8s.io/kubetest2@latest
+      go install sigs.k8s.io/kubetest2/kubetest2-noop@latest
+      go install sigs.k8s.io/kubetest2/kubetest2-tester-ginkgo@latest
+      wget https://storage.googleapis.com/pub/gsutil.tar.gz
+      tar xfz gsutil.tar.gz
+      sudo mv gsutil /usr/local/bin
+    name: "installKubetest"
+    displayName: "Set up Conformance Tests"
+
+  - script: |
+      echo "Start Azilium E2E Tests on Overlay Cluster"
+      echo "deploy ip-masq-agent for overlay"
+      kubectl create -f test/integration/manifests/ip-masq-agent/ip-masq-agent.yaml --validate=false
+      cd test/integration/manifests/ip-masq-agent/
+      kubectl create configmap config-custom.yaml
+      kubectl create configmap config-reconcile.yaml
+      cd ../../../..
+      kubectl get po -owide -A
+      sudo -E env "PATH=$PATH" make test-integration CNS_VERSION=$(make cns-version) CNI_DROPGZ_VERSION=$(make cni-dropgz-version) INSTALL_CNS=true INSTALL_OVERLAY=true TEST_DROPGZ=${{ parameters.testDropgz }}
+    retryCountOnTaskFailure: 3
+    name: "aziliumTest"
+    displayName: "Run Azilium E2E on AKS Overlay"
+
+  - script: |
+      echo "Logs will be available as a build artifact"
+      ARTIFACT_DIR=$(Build.ArtifactStagingDirectory)/test-output/
+      echo $ARTIFACT_DIR
+      sudo rm -rf $ARTIFACT_DIR
+      sudo mkdir $ARTIFACT_DIR
+      sudo cp test/integration/logs/* $ARTIFACT_DIR
+    name: "GetLogs"
+    displayName: "Get logs"
+    condition: always()
+
+  - task: PublishBuildArtifacts@1
+    inputs:
+      artifactName: test-output
+      pathtoPublish: "$(Build.ArtifactStagingDirectory)/test-output"
+    condition: always()
+
+  - script: |
+      echo "Run Service Conformance E2E"
+      export PATH=${PATH}:/usr/local/bin/gsutil
+      KUBECONFIG=~/.kube/config kubetest2 noop \
+        --test ginkgo -- \
+        --focus-regex "Services.*\[Conformance\].*"
+    name: "servicesConformance"
+    displayName: "Run Services Conformance Tests"
+
+  - script: |
+      echo "Run Cilium Connectivity Tests"
+      cilium status
+      cilium connectivity test
+    name: "ciliumConnectivityTests"
+    displayName: "Run Cilium Connectivity Tests"
+  
+  - script: |
+      ARTIFACT_DIR=$(Build.ArtifactStagingDirectory)/test-output/
+      echo $ARTIFACT_DIR
+      sudo rm -rf $ARTIFACT_DIR
+      sudo rm -rf test/integration/logs
+    name: "Cleanupartifactdir"
+    displayName: "Cleanup artifact dir"
+    condition: always()
+
+  - task: AzureCLI@2
+    inputs:
+      azureSubscription: "Azure Container Networking - Test"
+      scriptLocation: "inlineScript"
+      scriptType: "bash"
+      addSpnToEnvironment: true
+      inlineScript: |
+        echo "Deleting cluster"
+        make -C ./hack/swift azcfg AZCLI=az
+        make -C ./hack/swift down SUB=$(SUB_AZURE_NETWORK_AGENT_TEST) AZCLI=az CLUSTER=${{ parameters.clusterName }}-$(make revision)
+        echo "Cluster and resources down"
+    name: "Cleanupcluster"
+    displayName: "Cleanup cluster"
+    condition: always()

.pipelines/submodules-pipeline.yaml

@@ -245,6 +245,14 @@ stages:
       pipelineBuildImage: "$(BUILD_IMAGE)"
       testDropgz: true
       clusterName: "submodules-ciliume2e"
+    
+  - template: singletenancy/overlay/overlay-e2e-job-template.yaml
+    parameters:
+      name: "overlay_e2e"
+      displayName: Cilium on AKS Overlay
+      pipelineBuildImage: "$(BUILD_IMAGE)"
+      testDropgz: true
+      clusterName: "submodules-overlaye2e"
 
   - template: singletenancy/aks-swift/e2e-job-template.yaml
     parameters:

dropgz/build/cniTest.Dockerfile

@@ -17,6 +17,7 @@ COPY dropgz .
 COPY --from=azure-ipam /azure-ipam/*.conflist pkg/embed/fs
 COPY --from=azure-ipam /azure-ipam/bin/* pkg/embed/fs
 COPY --from=azure-vnet /azure-container-networking/cni/azure-$OS-swift.conflist pkg/embed/fs/azure-swift.conflist
+COPY --from=azure-vnet /azure-container-networking/cni/azure-$OS-swift-overlay.conflist pkg/embed/fs/azure-swift-overlay.conflist
 COPY --from=azure-vnet /azure-container-networking/bin/* pkg/embed/fs
 RUN cd pkg/embed/fs/ && sha256sum * > sum.txt
 RUN gzip --verbose --best --recursive pkg/embed/fs && for f in pkg/embed/fs/*.gz; do mv -- "$f" "${f%%.gz}"; done

hack/swift/Makefile

@@ -79,6 +79,19 @@ byocni-up: swift-byocni-up ## Alias to swift-byocni-up
 cilium-up: swift-cilium-up ## Alias to swift-cilium-up
 up: swift-up ## Alias to swift-up
 
+overlay-byocni-up: rg-up overlay-net-up ## Brings up an Overlay BYO CNI cluster
+	$(AZCLI) aks create -n $(CLUSTER) -g $(GROUP) -l $(REGION) \
+		--node-count 2 \
+		--node-vm-size Standard_B2s \
+		--load-balancer-sku basic \
+		--network-plugin none \
+		--network-plugin-mode overlay \
+		--pod-cidr 192.168.0.0/16 \
+		--vnet-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/nodenet \
+		--no-ssh-key \
+		--yes
+	@$(MAKE) set-kubeconf
+
 overlay-up: rg-up overlay-net-up ## Brings up an Overlay AzCNI cluster
 	$(AZCLI) aks create -n $(CLUSTER) -g $(GROUP) -l $(REGION) \
 		--node-count 2 \

test/integration/manifests/cns/overlayconfigmap.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cns-config
+  namespace: kube-system
+data:
+  cns_config.json: |
+    {
+      "TelemetrySettings": {
+          "TelemetryBatchSizeBytes": 16384,
+          "TelemetryBatchIntervalInSecs": 15,
+          "RefreshIntervalInSecs": 15,
+          "DisableAll": false,
+          "HeartBeatIntervalInMins": 30,
+          "DebugMode": false,
+          "SnapshotIntervalInMins": 60
+      },
+      "ManagedSettings": {
+          "PrivateEndpoint": "",
+          "InfrastructureNetworkID": "",
+          "NodeID": "",
+          "NodeSyncIntervalInSeconds": 30
+      },
+      "ChannelMode": "CRD",
+      "InitializeFromCNI": false,
+      "ManageEndpointState": true,
+      "ProgramSNATIPTables" : false
+    }

test/integration/manifests/ip-masq-agent/config-custom.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ip-masq-agent-config
+  namespace: kube-system
+  labels:
+    component: ip-masq-agent
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: EnsureExists
+data:
+  ip-masq-agent: |-
+    nonMasqueradeCIDRs:
+      - 192.168.0.0/16
+    masqLinkLocal: false
+    masqLinkLocalIPv6: true

test/integration/manifests/ip-masq-agent/config-reconcile.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ip-masq-agent-config-reconciled
+  namespace: kube-system
+  labels:
+    component: ip-masq-agent
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+data:
+  ip-masq-agent-reconciled: |-
+    nonMasqueradeCIDRs:
+      - 192.168.0.0/16
+    masqLinkLocal: true

test/integration/manifests/ip-masq-agent/ip-masq-agent.yaml

@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: ip-masq-agent
+  namespace: kube-system
+  labels:
+    component: ip-masq-agent
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+spec:
+  selector:
+    matchLabels:
+      k8s-app: ip-masq-agent
+  template:
+    metadata:
+      labels:
+        k8s-app: ip-masq-agent
+    spec:
+      hostNetwork: true
+      containers:
+      - name: ip-masq-agent
+        image: mcr.microsoft.com/aks/ip-masq-agent-v2:v0.1.1
+        imagePullPolicy: Always
+        securityContext:
+          privileged: false
+          capabilities:
+            add: ["NET_ADMIN", "NET_RAW"]
+        # Uses projected volumes to merge all data in /etc/config
+        volumeMounts:
+          - name: ip-masq-agent-volume
+            mountPath: /etc/config
+            readOnly: true
+      volumes:
+      - name: ip-masq-agent-volume
+        projected:
+          sources:
+            # Note these ConfigMaps must be created in the same namespace as the daemonset
+            - configMap:
+              name: ip-masq-agent-config
+              optional: true
+              items:
+                - key: ip-masq-agent
+                  path: ip-masq-agent
+                  mode: 444
+            - configMap:
+              name: ip-masq-agent-config-reconciled
+              optional: true
+              items:
+                # Avoiding duplicate paths
+                - key: ip-masq-agent-reconciled
+                  path: ip-masq-agent-reconciled
+                  mode: 444