First commit #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integration Tests | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run integration tests daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| jobs: | |
| integration-tests: | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| kubernetes-version: ['1.27.0', '1.28.0', '1.29.0', '1.30.0'] | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: '1.21' | |
| - name: Cache Go modules | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Install NFTables | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y nftables | |
| sudo modprobe nf_tables | |
| - name: Set up Kind | |
| uses: helm/kind-action@v1.8.0 | |
| with: | |
| version: v0.20.0 | |
| kubernetes_version: v${{ matrix.kubernetes-version }} | |
| config: | | |
| kind: Cluster | |
| apiVersion: kind.x-k8s.io/v1alpha4 | |
| nodes: | |
| - role: control-plane | |
| extraMounts: | |
| - hostPath: /lib/modules | |
| containerPath: /lib/modules | |
| readOnly: true | |
| - hostPath: /sys/fs/cgroup | |
| containerPath: /sys/fs/cgroup | |
| readOnly: true | |
| kubeadmConfigPatches: | |
| - | | |
| kind: ClusterConfiguration | |
| apiServer: | |
| extraArgs: | |
| enable-admission-plugins: NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook | |
| - role: worker | |
| extraMounts: | |
| - hostPath: /lib/modules | |
| containerPath: /lib/modules | |
| readOnly: true | |
| - hostPath: /sys/fs/cgroup | |
| containerPath: /sys/fs/cgroup | |
| readOnly: true | |
| - name: Install Multus CNI | |
| run: | | |
| kubectl apply -f https://raw.githubusercontent.com/k8snetworkplumbingwg/multus-cni/master/deployments/multus-daemonset-thick.yml | |
| kubectl wait --for=condition=ready pod -l app=multus -n kube-system --timeout=300s | |
| - name: Install Multi-NetworkPolicy CRDs | |
| run: | | |
| kubectl apply -f https://raw.githubusercontent.com/k8snetworkplumbingwg/multi-networkpolicy/master/scheme.yml | |
| - name: Build and load Docker image | |
| run: | | |
| docker build -t multi-networkpolicy-nftables:test . | |
| kind load docker-image multi-networkpolicy-nftables:test | |
| - name: Deploy controller | |
| run: | | |
| # Update image in deployment | |
| sed -i 's|image: .*|image: multi-networkpolicy-nftables:test|g' deploy.yaml | |
| sed -i 's|imagePullPolicy: .*|imagePullPolicy: Never|g' deploy.yaml | |
| kubectl apply -f deploy.yaml | |
| kubectl wait --for=condition=available deployment/multi-networkpolicy-nftables -n kube-system --timeout=300s | |
| - name: Run integration tests | |
| run: | | |
| # Run controller integration tests | |
| go test ./pkg/controller -v -ginkgo.focus="Integration" -timeout=30m | |
| - name: Run NFTables integration tests (with privileges) | |
| run: | | |
| # These tests require root privileges for NFTables operations | |
| sudo -E go test ./pkg/nftables -tags=integration -v -timeout=30m | |
| - name: Collect logs on failure | |
| if: failure() | |
| run: | | |
| echo "=== Controller Logs ===" | |
| kubectl logs -n kube-system deployment/multi-networkpolicy-nftables --tail=100 | |
| echo "=== Events ===" | |
| kubectl get events --sort-by='.lastTimestamp' -A | |
| echo "=== Pods ===" | |
| kubectl get pods -A -o wide | |
| e2e-tests: | |
| name: End-to-End Tests | |
| runs-on: ubuntu-latest | |
| needs: integration-tests | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version: '1.21' | |
| - name: Install NFTables | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y nftables | |
| sudo modprobe nf_tables | |
| - name: Set up Kind cluster | |
| uses: helm/kind-action@v1.8.0 | |
| with: | |
| version: v0.20.0 | |
| kubernetes_version: v1.29.0 | |
| config: | | |
| kind: Cluster | |
| apiVersion: kind.x-k8s.io/v1alpha4 | |
| nodes: | |
| - role: control-plane | |
| extraMounts: | |
| - hostPath: /lib/modules | |
| containerPath: /lib/modules | |
| readOnly: true | |
| - role: worker | |
| extraMounts: | |
| - hostPath: /lib/modules | |
| containerPath: /lib/modules | |
| readOnly: true | |
| - role: worker | |
| extraMounts: | |
| - hostPath: /lib/modules | |
| containerPath: /lib/modules | |
| readOnly: true | |
| - name: Install CNI plugins | |
| run: | | |
| # Install Multus | |
| kubectl apply -f https://raw.githubusercontent.com/k8snetworkplumbingwg/multus-cni/master/deployments/multus-daemonset-thick.yml | |
| # Install Multi-NetworkPolicy CRDs | |
| kubectl apply -f https://raw.githubusercontent.com/k8snetworkplumbingwg/multi-networkpolicy/master/scheme.yml | |
| # Wait for Multus to be ready | |
| kubectl wait --for=condition=ready pod -l app=multus -n kube-system --timeout=300s | |
| - name: Build and deploy controller | |
| run: | | |
| docker build -t multi-networkpolicy-nftables:e2e . | |
| kind load docker-image multi-networkpolicy-nftables:e2e | |
| sed -i 's|image: .*|image: multi-networkpolicy-nftables:e2e|g' deploy.yaml | |
| sed -i 's|imagePullPolicy: .*|imagePullPolicy: Never|g' deploy.yaml | |
| kubectl apply -f deploy.yaml | |
| kubectl wait --for=condition=available deployment/multi-networkpolicy-nftables -n kube-system --timeout=300s | |
| - name: Run E2E test scenarios | |
| run: | | |
| # Create test namespace | |
| kubectl create namespace e2e-test | |
| # Create NetworkAttachmentDefinition | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: k8s.cni.cncf.io/v1 | |
| kind: NetworkAttachmentDefinition | |
| metadata: | |
| name: macvlan-net | |
| namespace: e2e-test | |
| spec: | |
| config: | | |
| { | |
| "cniVersion": "0.3.1", | |
| "type": "macvlan", | |
| "master": "eth0", | |
| "mode": "bridge", | |
| "ipam": { | |
| "type": "host-local", | |
| "subnet": "192.168.1.0/24", | |
| "rangeStart": "192.168.1.100", | |
| "rangeEnd": "192.168.1.200" | |
| } | |
| } | |
| EOF | |
| # Create test MultiNetworkPolicy | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: k8s.cni.cncf.io/v1beta1 | |
| kind: MultiNetworkPolicy | |
| metadata: | |
| name: test-policy | |
| namespace: e2e-test | |
| annotations: | |
| k8s.v1.cni.cncf.io/policy-for: "macvlan-net" | |
| spec: | |
| podSelector: | |
| matchLabels: | |
| app: web | |
| policyTypes: | |
| - Ingress | |
| ingress: | |
| - from: | |
| - podSelector: | |
| matchLabels: | |
| app: client | |
| ports: | |
| - protocol: TCP | |
| port: 80 | |
| EOF | |
| # Verify policy was created and processed | |
| kubectl wait --for=condition=ready multinetworkpolicy/test-policy -n e2e-test --timeout=60s || true | |
| kubectl describe multinetworkpolicy/test-policy -n e2e-test | |
| # Check controller logs | |
| kubectl logs -n kube-system deployment/multi-networkpolicy-nftables --tail=50 | |
| echo "E2E test completed successfully" |