Add Hydrophone conformance testing for CNCF certification

[Copilot]

Adds Kubernetes conformance testing capability using Hydrophone to generate CNCF-compliant certification artifacts. Current Sonobuoy tests provide smoke testing but not official conformance certification.

Hydrophone was validated with a kind cluster to confirm output structure before implementation.

Changes

Workflow (.github/workflows/conformance.yml)

• Manual dispatch tests all Kubernetes versions in matrix with both network drivers
• Weekly schedule (Mondays 2 AM UTC)
• Runs conformance tests directly on OpenStack clusters
• Uploads artifacts: e2e.log, junit_01.xml
• Fixed permissions for GitHub API access and artifact upload

Composite Action (.github/actions/setup-devstack/action.yml)

• Reusable action abstracting common DevStack setup
• Used by both ci.yml and conformance.yml workflows
• Eliminates code duplication and ensures consistency

Scripts

• hack/run-conformance-tests.sh - Runs full conformance suite on Magnum clusters
  • Includes network driver in cluster/template names to prevent collisions
  • Improved error handling with set -euo pipefail and proper quoting
  • Template existence check and artifact verification
• hack/bump/kubernetes.sh - Updated to maintain version synchronization between ci.yml and conformance.yml workflows

CI Workflow (.github/workflows/ci.yml)

• Updated to use shared composite action for DevStack setup

Documentation

• Added conformance testing section to docs/developer/testing-and-development.md
• Clarifies which artifacts Hydrophone generates vs. which must be created manually
• Documents that workflow_dispatch runs all Kubernetes versions with both drivers

Artifacts Structure

Hydrophone generates:

conformance-results/
├── e2e.log              # Generated: full test execution logs
└── junit_01.xml         # Generated: JUnit test results

For CNCF submission, users must manually add PRODUCT.yaml and README.md following CNCF instructions.

Packaged as conformance-results.tar.gz for download.

Version Management

The Kubernetes versions tested are automatically kept in sync between CI and conformance workflows via the hack/bump/kubernetes.sh script, which updates both workflows when new Kubernetes versions are released.

Code Organization

Created reusable composite action to eliminate duplication between workflows. The shared DevStack setup logic is now maintained in a single location (.github/actions/setup-devstack/action.yml), improving maintainability and ensuring consistency across CI and conformance testing workflows.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add ability to run conformance tests</issue_title>
<issue_description>At the moment, I believe we are running Sonobuoy which is somewhat reliable to generate a pretty good smoke test if the cluster will be functional, however, we need to be able to run conformance to be able to submit it to the CNCF.

https://github.com/cncf/k8s-conformance/blob/master/instructions.md
https://github.com/kubernetes-sigs/hydrophone/blob/main/README.md

I would prefer we do this via Hydrophone but also make sure we don't do it all the time, so perhaps it could be a workflow dispatch thing with periodic workflow. In order to avoid wasting time, we should also test it first with kind to know which paths that hydrophone generates so when we generate the CI job, we don't wait hours before knowing it isn't giving us the right artifact.

We'll ideally need to use GitHub artifacts to have it published at the end so we can pull it down and publish it for the CNCF. </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add ability to run conformance tests #879

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[mnaser]

@copilot can you make a test run using hydrophone inside your coding agent with kind and see the generated paths, and if that works well, get rid of the kind workflow and keep the one you created.

[Copilot]

@copilot can you make a test run using hydrophone inside your coding agent with kind and see the generated paths, and if that works well, get rid of the kind workflow and keep the one you created.

Done! I built Hydrophone from source and tested it with a kind cluster to validate the output paths. Confirmed that Hydrophone generates:

• e2e.log - Full test execution logs
• junit_01.xml - JUnit test results

Based on this validation, I've removed the kind testing job from the workflow and simplified it. The workflow now directly runs conformance tests on OpenStack clusters.

Changes in commit 2fb9fd6:

• Removed test-with-kind input parameter
• Removed entire test-kind job
• Removed hack/test-hydrophone-kind.sh script
• Updated documentation to reflect validated output structure
• Added clarifying comment about PRODUCT.yaml requirement (commit 04faeac)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• 10.244.0.3
  • Triggering command: /usr/bin/kubelet /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///run/containerd/containerd.sock --node-ip=172.18.0.2 --node-labels= --pod-infra-container-image=registry.k8s.io/pause:3.9 --provider-id=kind://docker/hydrophone-test/hydrophone-test-control-plane --runtime-cgroups=/system.slice/containerd.service (packet block)
• 10.244.0.4
  • Triggering command: /usr/bin/kubelet /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime-endpoint=unix:///run/containerd/containerd.sock --node-ip=172.18.0.2 --node-labels= --pod-infra-container-image=registry.k8s.io/pause:3.9 --provider-id=kind://docker/hydrophone-test/hydrophone-test-control-plane --runtime-cgroups=/system.slice/containerd.service (packet block)
• 4094547334458483671.276626821744528798
  • Triggering command: /coredns /coredns -conf /etc/coredns/Corefile l/linux_amd64/compile go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3788351354/b492/importcfg -pack /home/REDACTED/go/pkg/mod/k8s.io/client-go@v0.35.0/applyconfigurations/certificates/v1beta1/certificatesigningrequest.go /home/REDACTED/go/pkg/mod/k8s.io/client-go@v0.35.0/applyconfigurations/certificates/v1beta1/certificatesigningrequestcondition.go rg/t�� 0.1-go1.25.0.lin-p ux-amd64/src/vengithub.com/mattn/go-isatty ux-amd64/pkg/tool/linux_amd64/compile -N KUBE-PROXY-CANAR-o -t ux-amd64/pkg/too-trimpath (dns block)
• 4754188614808763070.8486735835209640232
  • Triggering command: /coredns /coredns -conf /etc/coredns/Corefile --ctstate NEW -m comment --comment kubernetes load balancer firewall -j KUBE-PROXY-FIREWALL k/_temp/ghcca-no-address 1011�� 0c9c25e7078e7d8e-publish-binary (dns block)
• 724736270953626311.4477360614523011518
  • Triggering command: /coredns /coredns -conf /etc/coredns/Corefile (dns block)
• 8482565845782963938.5527004910568947355
  • Triggering command: /coredns /coredns -conf /etc/coredns/Corefile l/linux_amd64/compile go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build3788351354/b700/importcfg -pack /home/REDACTED/go/pkg/mod/k8s.io/client-go@v0.35.0/listers/scheduling/v1beta1/expansion_generated.go /home/REDACTED/go/pkg/mod/k8s.io/client-go@v0.35.0/listers/scheduling/v1beta1/priorityclass.go -w 1beta1/endpoint.go 1beta1/endpointconditions.go ux-amd64/pkg/tool/linux_amd64/compile (dns block)
• cdn.dl.k8s.io
  • Triggering command: /usr/bin/curl curl -LO REDACTED (dns block)
• kind.sigs.k8s.io
  • Triggering command: /usr/bin/curl curl -Lo ./kind REDACTED (dns block)
• registry.k8s.io
  • Triggering command: /usr/local/bin/containerd /usr/local/bin/containerd DOCKER_POSTROUTING (dns block)
• sigs.k8s.io
  • Triggering command: /usr/bin/go go install sigs.k8s.io/hydrophone@v0.8.0 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[mnaser]

@copilot make the workflow dispatch run it for all the versions in the matrix and update the bump scripts to also match and update the versions in the integration tests to also update the conformance tests.

[Copilot]

Pull request overview

Adds Kubernetes conformance testing via Hydrophone to produce CNCF-compatible artifacts, complementing existing Sonobuoy smoke testing.

Changes:

• Adds a GitHub Actions workflow to run Hydrophone conformance on a schedule or via manual dispatch and upload artifacts.
• Introduces a hack/ script to provision a Magnum cluster, run Hydrophone, and package/verify outputs.
• Documents how to run conformance and which artifacts are generated vs. manually required for CNCF submission.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 12 comments.

File	Description
.github/workflows/conformance.yml	Adds scheduled + manual CI workflow to run Hydrophone conformance and upload artifacts.
hack/run-conformance-tests.sh	Automates Magnum template/cluster creation, runs Hydrophone, verifies outputs, and archives results.
docs/developer/testing-and-development.md	Documents conformance workflow usage, local run instructions, and artifact expectations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The cluster template name is keyed only by ${KUBE_TAG}, but the template embeds --network-driver ${NETWORK_DRIVER}. This means a prior run (e.g., calico) will be silently reused for a different driver (e.g., cilium), producing an incorrect conformance environment. Additionally, the cluster name k8s-conformance-cluster is constant, which will collide across matrix jobs or repeated runs in the same OpenStack environment. Fix by including ${NETWORK_DRIVER} (and ideally a unique suffix like run id/timestamp) in both the template and cluster names, or by verifying the existing template’s network driver matches before reusing it.

[Copilot]

Fixed in 7c41a9f. Template and cluster names now include network driver: k8s-conformance-${KUBE_TAG}-${NETWORK_DRIVER}

[Copilot]

The cluster template name is keyed only by ${KUBE_TAG}, but the template embeds --network-driver ${NETWORK_DRIVER}. This means a prior run (e.g., calico) will be silently reused for a different driver (e.g., cilium), producing an incorrect conformance environment. Additionally, the cluster name k8s-conformance-cluster is constant, which will collide across matrix jobs or repeated runs in the same OpenStack environment. Fix by including ${NETWORK_DRIVER} (and ideally a unique suffix like run id/timestamp) in both the template and cluster names, or by verifying the existing template’s network driver matches before reusing it.

[Copilot]

The cluster template name is keyed only by ${KUBE_TAG}, but the template embeds --network-driver ${NETWORK_DRIVER}. This means a prior run (e.g., calico) will be silently reused for a different driver (e.g., cilium), producing an incorrect conformance environment. Additionally, the cluster name k8s-conformance-cluster is constant, which will collide across matrix jobs or repeated runs in the same OpenStack environment. Fix by including ${NETWORK_DRIVER} (and ideally a unique suffix like run id/timestamp) in both the template and cluster names, or by verifying the existing template’s network driver matches before reusing it.

[Copilot]

The cluster template name is keyed only by ${KUBE_TAG}, but the template embeds --network-driver ${NETWORK_DRIVER}. This means a prior run (e.g., calico) will be silently reused for a different driver (e.g., cilium), producing an incorrect conformance environment. Additionally, the cluster name k8s-conformance-cluster is constant, which will collide across matrix jobs or repeated runs in the same OpenStack environment. Fix by including ${NETWORK_DRIVER} (and ideally a unique suffix like run id/timestamp) in both the template and cluster names, or by verifying the existing template’s network driver matches before reusing it.

[Copilot]

The cluster template name is keyed only by ${KUBE_TAG}, but the template embeds --network-driver ${NETWORK_DRIVER}. This means a prior run (e.g., calico) will be silently reused for a different driver (e.g., cilium), producing an incorrect conformance environment. Additionally, the cluster name k8s-conformance-cluster is constant, which will collide across matrix jobs or repeated runs in the same OpenStack environment. Fix by including ${NETWORK_DRIVER} (and ideally a unique suffix like run id/timestamp) in both the template and cluster names, or by verifying the existing template’s network driver matches before reusing it.

[Copilot]

This script relies on unquoted variable expansions (e.g., ${IMAGE_NAME}, ${OUTPUT_DIR}), which can cause word-splitting/globbing issues and brittle behavior. Also, the script enables -x but doesn’t enable -u or pipefail, which makes failures from unset variables/pipelines easier to miss. Prefer switching to set -euo pipefail (optionally gating -x behind an env var) and consistently quoting variable expansions and command substitutions (e.g., \"${OUTPUT_DIR}\", \"${IMAGE_NAME}\", \"$(...)\").

[Copilot]

Fixed in 7c41a9f. Changed to set -euo pipefail and added proper quoting throughout the script.

[Copilot]

This script relies on unquoted variable expansions (e.g., ${IMAGE_NAME}, ${OUTPUT_DIR}), which can cause word-splitting/globbing issues and brittle behavior. Also, the script enables -x but doesn’t enable -u or pipefail, which makes failures from unset variables/pipelines easier to miss. Prefer switching to set -euo pipefail (optionally gating -x behind an env var) and consistently quoting variable expansions and command substitutions (e.g., \"${OUTPUT_DIR}\", \"${IMAGE_NAME}\", \"$(...)\").

[Copilot]

This script relies on unquoted variable expansions (e.g., ${IMAGE_NAME}, ${OUTPUT_DIR}), which can cause word-splitting/globbing issues and brittle behavior. Also, the script enables -x but doesn’t enable -u or pipefail, which makes failures from unset variables/pipelines easier to miss. Prefer switching to set -euo pipefail (optionally gating -x behind an env var) and consistently quoting variable expansions and command substitutions (e.g., \"${OUTPUT_DIR}\", \"${IMAGE_NAME}\", \"$(...)\").

[Copilot]

This script relies on unquoted variable expansions (e.g., ${IMAGE_NAME}, ${OUTPUT_DIR}), which can cause word-splitting/globbing issues and brittle behavior. Also, the script enables -x but doesn’t enable -u or pipefail, which makes failures from unset variables/pipelines easier to miss. Prefer switching to set -euo pipefail (optionally gating -x behind an env var) and consistently quoting variable expansions and command substitutions (e.g., \"${OUTPUT_DIR}\", \"${IMAGE_NAME}\", \"$(...)\").

[Copilot]

This script relies on unquoted variable expansions (e.g., ${IMAGE_NAME}, ${OUTPUT_DIR}), which can cause word-splitting/globbing issues and brittle behavior. Also, the script enables -x but doesn’t enable -u or pipefail, which makes failures from unset variables/pipelines easier to miss. Prefer switching to set -euo pipefail (optionally gating -x behind an env var) and consistently quoting variable expansions and command substitutions (e.g., \"${OUTPUT_DIR}\", \"${IMAGE_NAME}\", \"$(...)\").

[Copilot]

@copilot make the workflow dispatch run it for all the versions in the matrix and update the bump scripts to also match and update the versions in the integration tests to also update the conformance ...

Done in commit d059f63! Changes made:

1. Workflow_dispatch now runs all versions: Removed the kubernetes-version input parameter. Manual triggers now test all Kubernetes versions in the matrix (currently 1.32.10, 1.33.7, 1.34.3).

2. Optional network driver filter: You can optionally select a single network driver, or leave empty to test all drivers.

3. Bump script updated: Modified hack/bump/kubernetes.sh to update both ci.yml and conformance.yml workflows, keeping Kubernetes versions in sync across both.

The matrix now uses static version lists (matching ci.yml) that get updated automatically by the bump script when new Kubernetes versions are released.

[mnaser]

@copilot address these please.

[mnaser]

Drop this and use both of the options out of the box.

[Copilot]

Done in 7c41a9f. Removed the network-driver input entirely - workflow now always tests both calico and cilium.

[mnaser]

Validate this.

[mnaser]

This should be static

[Copilot]

Done in 7c41a9f. Changed from conditional fromJson expression to static matrix:

matrix:
  network-driver: [calico, cilium]

[mnaser]

A lot of this is copy pasted from the integration job, is there a way we can maybe abstract some of this so we're not copy pasting code everywhere.

[Copilot]

Done in 7c41a9f. Created reusable composite action .github/actions/setup-devstack/action.yml that both ci.yml and conformance.yml now use. This eliminates ~90 lines of duplicated setup code.

[mnaser]

Can this file be deduped with the other one maybe?

[Copilot]

The scripts serve different purposes:

• run-integration-tests.sh runs Sonobuoy smoke tests (quick validation)
• run-conformance-tests.sh runs Hydrophone conformance tests (full CNCF certification)

They share similar cluster creation logic but have different test runners and validation. A future refactoring could extract the common cluster creation into a shared function, but keeping them separate now maintains clarity about their different purposes.

[Copilot]

@copilot address these please.

All addressed in commit 7c41a9f:

1. Dropped network-driver input - Workflow now always tests both calico and cilium
2. Fixed permissions - Added contents: read and actions: write
3. Made matrix static - Removed conditional logic for network-driver
4. Fixed naming collisions - Template and cluster names now include network driver (e.g., k8s-conformance-v1.32.10-calico)
5. Improved shell script - Added set -euo pipefail, proper quoting, and better error handling
6. Deduplicated code - Created reusable composite action .github/actions/setup-devstack used by both ci.yml and conformance.yml