ci: cilium load test uses cns write conflist (#1928)

* change cilium install method

* update deploy cil stage

* cns writes cilium conflist

* adding cns ds

* delete deployment container, too many pods

* reuse cns ds from pr pipeline

* update cns + dropgz versions in ds for load test pipeline

* revert back to separate cns ds

* revert change for cns/daemonset.yaml

---------

Co-authored-by: Paul Yu <[email protected]>

Author: camrynl

.pipelines/cni/cilium/cilium-cni-load-test.yaml

@@ -16,11 +16,48 @@ stages:
               inlineScript: |
                 set -ex
                 make -C ./hack/swift azcfg AZCLI=az REGION=$(LOCATION)
-                make -C ./hack/swift overlay-cilium-up AZCLI=az REGION=$(LOCATION) SUB=$(SUBSCRIPTION_ID) CLUSTER=${RESOURCE_GROUP} NODE_COUNT=10 VM_SIZE=Standard_DS4_v2
+                make -C ./hack/swift overlay-byocni-up AZCLI=az REGION=$(LOCATION) SUB=$(SUBSCRIPTION_ID) CLUSTER=${RESOURCE_GROUP} NODE_COUNT=10 VM_SIZE=Standard_DS4_v2
             name: "CreateAksCluster"
             displayName: "Create AKS Cluster"
-  - stage: pod_deployment
+  - stage: install_cilium
     dependsOn: creating_aks_cluster
+    displayName: "Install Cilium on AKS Overlay"
+    jobs:
+      - job: deploy_cilium_components
+        steps:
+          - task: AzureCLI@1
+            displayName: "Install Cilium, CNS, and ip-masq-agent"
+            inputs:
+              azureSubscription: $(TEST_SUB_SERVICE_CONNECTION)
+              scriptLocation: "inlineScript"
+              scriptType: "bash"
+              addSpnToEnvironment: true
+              inlineScript: |
+                set -ex
+                az extension add --name aks-preview
+                make -C ./hack/swift set-kubeconf AZCLI=az CLUSTER=${RESOURCE_GROUP}
+                ls -lah
+                pwd
+                kubectl cluster-info
+                kubectl get po -owide -A
+                echo "Deploy Azure-CNS"
+                kubectl apply -f test/integration/manifests/cilium/cns-write-ovly.yaml
+                echo "deploy Cilium ConfigMap"
+                kubectl apply -f cilium/configmap.yaml
+                kubectl apply -f test/integration/manifests/cilium/cilium-config.yaml
+                echo "install Cilium onto Overlay Cluster"
+                kubectl apply -f test/integration/manifests/cilium/cilium-agent
+                kubectl apply -f test/integration/manifests/cilium/cilium-operator
+                kubectl get po -owide -A
+                echo "deploy ip-masq-agent for overlay"
+                kubectl create -f test/integration/manifests/ip-masq-agent/ip-masq-agent.yaml --validate=false
+                cd test/integration/manifests/ip-masq-agent/
+                kubectl create configmap config-custom.yaml
+                kubectl create configmap config-reconcile.yaml
+                cd ../../../..
+                kubectl get po -owide -A
+  - stage: pod_deployment
+    dependsOn: install_cilium
     displayName: "Pod Deployment"
     jobs:
       - job: deploy_pods
@@ -115,6 +152,7 @@ stages:
             name: "GetCluster"
             displayName: "Get AKS Cluster"
           - script: |
+              k delete deployment container -n default
               cilium connectivity test
             retryCountOnTaskFailure: 6
             name: "CiliumConnectivityTests"

test/integration/manifests/cilium/cns-write-ovly.yaml

@@ -0,0 +1,228 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: azure-cns
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: kube-system
+  name: nodeNetConfigEditor
+rules:
+- apiGroups: ["acn.azure.com"]
+  resources: ["nodenetworkconfigs"]
+  verbs: ["get", "list", "watch", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pod-reader-all-namespaces
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: nodeNetConfigEditorRoleBinding
+  namespace: kube-system
+subjects:
+- kind: ServiceAccount
+  name: azure-cns
+  namespace: kube-system
+roleRef:
+  kind: Role
+  name: nodeNetConfigEditor
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pod-reader-all-namespaces-binding
+subjects:
+- kind: ServiceAccount
+  name: azure-cns
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: pod-reader-all-namespaces
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: azure-cns
+  namespace: kube-system
+  labels:
+    app: azure-cns
+spec:
+  selector:
+    matchLabels:
+      k8s-app: azure-cns
+  template:
+    metadata:
+      labels:
+        k8s-app: azure-cns
+      annotations:
+        cluster-autoscaler.kubernetes.io/daemonset-pod: "true"
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.azure.com/cluster
+                operator: Exists
+              - key: type
+                operator: NotIn
+                values:
+                - virtual-kubelet
+              - key: beta.kubernetes.io/os
+                operator: In
+                values:
+                - linux
+      priorityClassName: system-node-critical
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - operator: "Exists"
+          effect: NoExecute
+        - operator: "Exists"
+          effect: NoSchedule
+      containers:
+        - name: cns-container
+          image: acnpublic.azurecr.io/azure-cns:write-cilium-conf2
+          imagePullPolicy: IfNotPresent
+          args: [ "-c", "tcp://$(CNSIpAddress):$(CNSPort)", "-t", "$(CNSLogTarget)"]
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+          volumeMounts:
+            - name: log
+              mountPath: /var/log
+            - name: cns-state
+              mountPath: /var/lib/azure-network
+            - name: cns-config
+              mountPath: /etc/azure-cns
+            - name: cni-bin
+              mountPath: /opt/cni/bin
+            - name: azure-vnet
+              mountPath: /var/run/azure-vnet
+            - name: legacy-cni-state
+              mountPath: /var/run/azure-vnet.json
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+            - name: cni-ipam-state
+              mountPath: /var/run/azure-cns
+            - name: cni-conflist
+              mountPath: /etc/cni/net.d
+          ports:
+            - containerPort: 10090
+          env:
+            - name: CNSIpAddress
+              value: "127.0.0.1"
+            - name: CNSPort
+              value: "10090"
+            - name: CNSLogTarget
+              value: "stdoutfile"
+            - name: CNS_CONFIGURATION_PATH
+              value: /etc/azure-cns/cns_config.json
+            - name: NODENAME
+              valueFrom:
+                  fieldRef:
+                    apiVersion: v1
+                    fieldPath: spec.nodeName 
+      initContainers:
+        - name: init-cni-dropgz
+          image: acnpublic.azurecr.io/cni-dropgz:v0.0.4
+          imagePullPolicy: Always
+          command: ["/dropgz"]
+          args:
+            - deploy
+            - azure-ipam
+            - -o
+            - /opt/cni/bin/azure-ipam
+            # - azilium.conflist
+            # - -o 
+            # - /etc/cni/net.d/05-cilium.conflist
+          volumeMounts:
+            - name: cni-bin
+              mountPath: /opt/cni/bin
+            # - name: cni-conflist
+            #   mountPath: /etc/cni/net.d
+      hostNetwork: true
+      volumes:
+        - name: cni-conflist
+          hostPath:
+            path: /etc/cni/net.d
+            type: Directory
+        - name: log
+          hostPath:
+            path: /var/log
+            type: Directory
+        - name: cns-state
+          hostPath:
+            path: /var/lib/azure-network
+            type: DirectoryOrCreate
+        - name: cni-bin
+          hostPath:
+            path: /opt/cni/bin
+            type: Directory
+        - name: azure-vnet
+          hostPath:
+            path: /var/run/azure-vnet
+            type: DirectoryOrCreate
+        - name: legacy-cni-state
+          hostPath:
+            path: /var/run/azure-vnet.json
+            type: FileOrCreate
+        - name: cns-config
+          configMap:
+            name: cns-config
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: File
+        - name: cni-ipam-state
+          hostPath:
+            path: /var/run/azure-cns
+            type: DirectoryOrCreate
+      serviceAccountName: azure-cns
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cns-config
+  namespace: kube-system
+data:
+  cns_config.json: |
+    {
+      "TelemetrySettings": {
+          "TelemetryBatchSizeBytes": 16384,
+          "TelemetryBatchIntervalInSecs": 15,
+          "RefreshIntervalInSecs": 15,
+          "DisableAll": false,
+          "HeartBeatIntervalInMins": 30,
+          "DebugMode": false,
+          "SnapshotIntervalInMins": 60
+      },
+      "ManagedSettings": {
+          "PrivateEndpoint": "",
+          "InfrastructureNetworkID": "",
+          "NodeID": "",
+          "NodeSyncIntervalInSeconds": 30
+      },
+      "ChannelMode": "CRD",
+      "InitializeFromCNI": false,
+      "ManageEndpointState": true,
+      "ProgramSNATIPTables": false,
+      "EnableCNIConflistGeneration": true,
+      "CNIConflistFilepath": "/etc/cni/net.d/05-cilium.conflist",
+      "CNIConflistScenario": "cilium"
+    }

test/integration/manifests/cns/ciliumconfigmap.yaml renamed to test/integration/manifests/cnsconfig/ciliumconfigmap.yaml

@@ -26,12 +26,13 @@ const (
 
 	// relative cns manifest paths
 	cnsManifestFolder         = "manifests/cns"
+	cnsConfigFolder           = "manifests/cnsconfig"
 	cnsDaemonSetPath          = cnsManifestFolder + "/daemonset.yaml"
 	cnsClusterRolePath        = cnsManifestFolder + "/clusterrole.yaml"
 	cnsClusterRoleBindingPath = cnsManifestFolder + "/clusterrolebinding.yaml"
-	cnsSwiftConfigMapPath     = cnsManifestFolder + "/swiftconfigmap.yaml"
-	cnsCiliumConfigMapPath    = cnsManifestFolder + "/ciliumconfigmap.yaml"
-	cnsOverlayConfigMapPath   = cnsManifestFolder + "/overlayconfigmap.yaml"
+	cnsSwiftConfigMapPath     = cnsConfigFolder + "/swiftconfigmap.yaml"
+	cnsCiliumConfigMapPath    = cnsConfigFolder + "/ciliumconfigmap.yaml"
+	cnsOverlayConfigMapPath   = cnsConfigFolder + "/overlayconfigmap.yaml"
 	cnsRolePath               = cnsManifestFolder + "/role.yaml"
 	cnsRoleBindingPath        = cnsManifestFolder + "/rolebinding.yaml"
 	cnsServiceAccountPath     = cnsManifestFolder + "/serviceaccount.yaml"