[WIP] CNTRLPLANE-707: Use Calico CNI for management cluster

ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.18__periodics-mce.yaml

@@ -167,6 +167,14 @@ tests:
       LVM_OPERATOR_SUB_CHANNEL: stable-4.18
       MCE_VERSION: "2.8"
     workflow: hypershift-mce-agent-metal3-conformance-cilium
+- as: e2e-agent-connected-calico-ipv4-metal-conformance
+  minimum_interval: 168h
+  steps:
+    cluster_profile: equinix-ocp-hcp
+    env:
+      LVM_OPERATOR_SUB_CHANNEL: stable-4.18
+      MCE_VERSION: "2.8"
+    workflow: hypershift-mce-agent-metal3-conformance-calico
 - as: e2e-kubevirt-metal-ovn
   cron: 0 4 1 1 *
   steps:

ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.19__periodics.yaml

@@ -152,6 +152,34 @@ tests:
     test:
     - chain: hypershift-conformance
     workflow: cucushift-installer-rehearse-aws-ipi-cilium-hypershift-private-guest
+- as: e2e-aws-conformance-calico
+  minimum_interval: 168h
+  steps:
+    cluster_profile: hypershift
+    env:
+      TEST_SKIPS: The default cluster RBAC policy should have correct RBAC rules\|
+        Cluster scoped load balancer healthcheck port and path should be 10256/healthz\|
+        Prometheus \[apigroup:image.openshift.io\] when installed on the cluster should
+        provide named network metrics\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\]
+        should work with UDP\| Unidling with Deployments \[apigroup:route.openshift.io\]
+        should work with TCP (when fully idled)\| Unidling \[apigroup:apps.openshift.io\]\[apigroup:route.openshift.io\]
+        should work with TCP (when fully idled)\| Unidling with Deployments \[apigroup:route.openshift.io\]
+        should work with UDP\| pod should not start for sysctls not on whitelist \[apigroup:k8s.cni.cncf.io\]
+        net.ipv4.conf.IFNAME.arp_filter\| pod should not start for sysctls not on
+        whitelist \[apigroup:k8s.cni.cncf.io\] net.ipv4.conf.all.send_redirects\|
+        sysctl allowlist update should start a pod with custom sysctl only when the
+        sysctl is added to whitelist
+    workflow: hypershift-aws-conformance-calico
+- as: e2e-kubevirt-metal-conformance-calico
+  minimum_interval: 168h
+  steps:
+    cluster_profile: equinix-ocp-hcp
+    env:
+      LVM_OPERATOR_SUB_CHANNEL: stable-4.19
+      ODF_OPERATOR_SUB_CHANNEL: stable-4.18
+      ODF_OPERATOR_SUB_SOURCE: redhat-operators-v4-18
+      REDHAT_OPERATORS_INDEX_TAG: v4.18
+    workflow: hypershift-kubevirt-baremetalds-conformance-calico
 - as: e2e-powervs-ovn
   cron: 0 8 * * *
   steps:

ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.18-periodics.yaml

@@ -1475,6 +1475,81 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build11
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.18
+    org: openshift
+    repo: hypershift
+  labels:
+    ci-operator.openshift.io/cloud: equinix-ocp-metal
+    ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-hcp
+    ci-operator.openshift.io/variant: periodics-mce
+    ci.openshift.io/generator: prowgen
+    job-release: "4.18"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  minimum_interval: 168h
+  name: periodic-ci-openshift-hypershift-release-4.18-periodics-mce-e2e-agent-connected-calico-ipv4-metal-conformance
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-agent-connected-calico-ipv4-metal-conformance
+      - --variant=periodics-mce
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build11
   decorate: true

ci-operator/jobs/openshift/hypershift/openshift-hypershift-release-4.19-periodics.yaml

@@ -74,6 +74,81 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build11
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.19
+    org: openshift
+    repo: hypershift
+  labels:
+    ci-operator.openshift.io/cloud: hypershift
+    ci-operator.openshift.io/cloud-cluster-profile: hypershift
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.19"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  minimum_interval: 168h
+  name: periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aws-conformance-calico
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-aws-conformance-calico
+      - --variant=periodics
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build11
   decorate: true
@@ -1176,6 +1251,81 @@ periodics:
     - name: result-aggregator
       secret:
         secretName: result-aggregator
+- agent: kubernetes
+  cluster: build11
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-4.19
+    org: openshift
+    repo: hypershift
+  labels:
+    ci-operator.openshift.io/cloud: equinix-ocp-metal
+    ci-operator.openshift.io/cloud-cluster-profile: equinix-ocp-hcp
+    ci-operator.openshift.io/variant: periodics
+    ci.openshift.io/generator: prowgen
+    job-release: "4.19"
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  minimum_interval: 168h
+  name: periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-kubevirt-metal-conformance-calico
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --lease-server-credentials-file=/etc/boskos/credentials
+      - --report-credentials-file=/etc/report/credentials
+      - --secret-dir=/secrets/ci-pull-credentials
+      - --target=e2e-kubevirt-metal-conformance-calico
+      - --variant=periodics
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /etc/boskos
+        name: boskos
+        readOnly: true
+      - mountPath: /secrets/ci-pull-credentials
+        name: ci-pull-credentials
+        readOnly: true
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: boskos
+      secret:
+        items:
+        - key: credentials
+          path: credentials
+        secretName: boskos-credentials
+    - name: ci-pull-credentials
+      secret:
+        secretName: ci-pull-credentials
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator
 - agent: kubernetes
   cluster: build11
   cron: 0 4 * * *

ci-operator/step-registry/calico/OWNERS

@@ -0,0 +1,13 @@
+approvers:
+- vrutkovs
+- jtaleric
+- nbusseneau
+- nathanjsweet
+- squeed
+- mgencur
+reviewers:
+- jtaleric
+- nathanjsweet
+- squeed
+- nbusseneau
+- mgencur

ci-operator/step-registry/calico/conf/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/calico/conf/calico-conf-commands.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+set -xeuo pipefail
+
+if [[ -f "${SHARED_DIR}/install-config.yaml" ]]; then
+  sed -i "s/networkType: .*/networkType: Calico/" "${SHARED_DIR}/install-config.yaml"
+fi
+
+cat > "${SHARED_DIR}/manifest_cluster-network-03-config.yml" << EOF
+apiVersion: operator.openshift.io/v1
+kind: Network
+metadata:
+  name: cluster
+spec:
+  clusterNetwork:
+  - cidr: 10.128.0.0/14
+    hostPrefix: 23
+  networkType: Calico
+  serviceNetwork:
+  - 172.30.0.0/16
+EOF
+
+calico_dir=/tmp/calico
+mkdir $calico_dir
+
+wget -qO- "https://github.com/projectcalico/calico/releases/download/v${CALICO_VERSION}/ocp.tgz" | \
+  tar xvz --strip-components=1 -C $calico_dir
+
+# Install namespaces, operator, custom resources Installation and ApiServer.
+while IFS= read -r src; do
+  cp "$src" "${SHARED_DIR}/manifest_$(basename "$src")"
+done <<< "$(find $calico_dir -name "00*" -o -name "02*")"
+
+# Install API Server
+cp "${calico_dir}/01-cr-apiserver.yaml" "${SHARED_DIR}/manifest_01-cr-apiserver.yaml"
+
+# Install Calico with specific setting for node address auto-detection.
+# The specific setting is required as some tests create NetworkAttachmentDefinitions
+# which add network interfaces to the host. Calico then incorrectly chooses this interface
+# and breaks connectivity between nodes.
+cat > "${SHARED_DIR}/manifest_01-cr-installation.yaml" << EOF
+apiVersion: operator.tigera.io/v1
+kind: Installation
+metadata:
+  name: default
+spec:
+  variant: Calico
+  calicoNetwork:
+    nodeAddressAutodetectionV4:
+      kubernetes: NodeInternalIP
+    ipPools:
+      - cidr: 10.128.0.0/14
+        encapsulation: None
+EOF

ci-operator/step-registry/calico/conf/calico-conf-ref.metadata.json

@@ -0,0 +1,20 @@
+{
+	"path": "calico/conf/calico-conf-ref.yaml",
+	"owners": {
+		"approvers": [
+			"vrutkovs",
+			"jtaleric",
+			"nbusseneau",
+			"nathanjsweet",
+			"squeed",
+			"mgencur"
+		],
+		"reviewers": [
+			"jtaleric",
+			"nathanjsweet",
+			"squeed",
+			"nbusseneau",
+			"mgencur"
+		]
+	}
+}