ci: [CNI] Move Nightly Cilium Pipeline test to ACN (#1963)

* CNS to be able to generate dualstack overaly CNI conflist (#1981)

* fix: Eliminating duplicate lines

* ci: Add update permission for ciliumidentity

* fix: Parameterize Image Registry

add retry to nnc update during scaledown (#1970)

* add retry to nnc update during scaledown

Signed-off-by: Evan Baker <[email protected]>

* test for panic in pool monitor

Signed-off-by: Evan Baker <[email protected]>

---------

Signed-off-by: Evan Baker <[email protected]>

fix: reserve 0th IP as gateway for overlay on Windows (#1968)

* fix: reserve 0th IP as gateway for overlay on Windows

* fix: allow gateway to be updated

ci: windows profile container image (#1988)

Always use 0 for NC version in Overlay (#1979)

always use 0 for NC version in overlay

Signed-off-by: Evan Baker <[email protected]>

[Vnet Scale - CNS]: Flattening CIDR ranges for Node NNC to a list (#1921)

* Read secondary CIDRs from VnetScale NNC

* fix comment

* update comment

* For VnetScale mode, Use 1st IP for def gateway instead of 0th for windows

* fix/add import

* address pr comments

* add comments

* address pr comments

* wrap error

* fix typo

* fix UT

fix: [NPM] check if policy exists in case of nil pointer (#1974)

fix: check for nil first

ci: disable kube-proxy for test clusters (#1965)

* disable kube-proxy for byocni cluster creation

* test config mapping

* shell pwd

* use CURDIR

* check current directory

* test with repo root dir

* test azp format

* test azp format

* test azp format

* change e2e steps to remove kube proxy

* fix load test update args

* fix ns and rg in update

* update ciliume2e

* fix kubectl cmd in load test

* adding new targets for no kube proxy

* remove cluster update

* update overlay e2e

* test behavior of load test

* test grep for azure-cns

* look for container deployment

* testing

* restart node variable check

* update if condition

* add skip node case

---------

Co-authored-by: tamilmani1989 <[email protected]>

perf: [WIN-NPM] fast bootup (#1900)

* wip

* wip2

* use other apply DP func

* address comment about if statement

* finish bootup for both DPs

* fix lint

* fix lint 2

* fix lint 3

* longer UT timeout and add missing UTs for apply in background

tool: [NPM] script to clean up iptable chains (#1978)

tool: script to clean up NPM iptable chains

feat: [WIN-NPM] metrics for latencies and failures (#1959)

* implement metrics

* add npm prefix

* rename windows files

* metrics pkg UTs

* allow reinitializing prometheus metrics

* fix: hns wrapper should not throw error for empty SetPolicy values

* test: metric UTs in dataplane

* fix: record list endpoint latency always

* remove flaky UT

* feat: metric for max ipset members

* fix lint

* fix lint 2

* fix build

* fix lint 3

* simplify conditionals and protect against maxMembers becoming negative

* remove bottom 4 histogram buckets. start at 16 ms

* reset metrics for ipset UTs

* style: don't check for windows dp in *_windows.go files

* build: remove unused import

* test: reset windows metrics in UT

Remove SSH port 22 rule from aks-engine clusters (#1983)

ci: change overlaye2e stage to cilium-overlay (#1997)

* renaming overlaye2e for cilium

* update display names for stages

Initial getHomeAZ 404 changes (#1994)

* initial getHomeAZ 404 changes

* treat 404 as success

* address comments

CNS to be able to generate dualstack overaly CNI conflist (#1981)

fix: Parameterize Image Registry

add retry to nnc update during scaledown (#1970)

* add retry to nnc update during scaledown

Signed-off-by: Evan Baker <[email protected]>

* test for panic in pool monitor

Signed-off-by: Evan Baker <[email protected]>

---------

Signed-off-by: Evan Baker <[email protected]>

fix: reserve 0th IP as gateway for overlay on Windows (#1968)

* fix: reserve 0th IP as gateway for overlay on Windows

* fix: allow gateway to be updated

ci: windows profile container image (#1988)

Always use 0 for NC version in Overlay (#1979)

always use 0 for NC version in overlay

Signed-off-by: Evan Baker <[email protected]>

[Vnet Scale - CNS]: Flattening CIDR ranges for Node NNC to a list (#1921)

* Read secondary CIDRs from VnetScale NNC

* fix comment

* update comment

* For VnetScale mode, Use 1st IP for def gateway instead of 0th for windows

* fix/add import

* address pr comments

* add comments

* address pr comments

* wrap error

* fix typo

* fix UT

fix: [NPM] check if policy exists in case of nil pointer (#1974)

fix: check for nil first

ci: disable kube-proxy for test clusters (#1965)

* disable kube-proxy for byocni cluster creation

* test config mapping

* shell pwd

* use CURDIR

* check current directory

* test with repo root dir

* test azp format

* test azp format

* test azp format

* change e2e steps to remove kube proxy

* fix load test update args

* fix ns and rg in update

* update ciliume2e

* fix kubectl cmd in load test

* adding new targets for no kube proxy

* remove cluster update

* update overlay e2e

* test behavior of load test

* test grep for azure-cns

* look for container deployment

* testing

* restart node variable check

* update if condition

* add skip node case

---------

Co-authored-by: tamilmani1989 <[email protected]>

perf: [WIN-NPM] fast bootup (#1900)

* wip

* wip2

* use other apply DP func

* address comment about if statement

* finish bootup for both DPs

* fix lint

* fix lint 2

* fix lint 3

* longer UT timeout and add missing UTs for apply in background

tool: [NPM] script to clean up iptable chains (#1978)

tool: script to clean up NPM iptable chains

feat: [WIN-NPM] metrics for latencies and failures (#1959)

* implement metrics

* add npm prefix

* rename windows files

* metrics pkg UTs

* allow reinitializing prometheus metrics

* fix: hns wrapper should not throw error for empty SetPolicy values

* test: metric UTs in dataplane

* fix: record list endpoint latency always

* remove flaky UT

* feat: metric for max ipset members

* fix lint

* fix lint 2

* fix build

* fix lint 3

* simplify conditionals and protect against maxMembers becoming negative

* remove bottom 4 histogram buckets. start at 16 ms

* reset metrics for ipset UTs

* style: don't check for windows dp in *_windows.go files

* build: remove unused import

* test: reset windows metrics in UT

Remove SSH port 22 rule from aks-engine clusters (#1983)

ci: change overlaye2e stage to cilium-overlay (#1997)

* renaming overlaye2e for cilium

* update display names for stages

Initial getHomeAZ 404 changes (#1994)

* initial getHomeAZ 404 changes

* treat 404 as success

* address comments

CNS to be able to generate dualstack overaly CNI conflist (#1981)

* fix: File Directory

* style: Comments

* Addressing Comments

---------

Co-authored-by: Paul Johnston <[email protected]>
(cherry picked from commit 1514d95)

Author: jpayne3506

.pipelines/cni/cilium/cilium-cni-load-test.yaml

@@ -48,6 +48,9 @@ stages:
                 echo "install Cilium onto Overlay Cluster"
                 kubectl apply -f test/integration/manifests/cilium/cilium-agent
                 kubectl apply -f test/integration/manifests/cilium/cilium-operator
+                # Passes Cilium image to daemonset and deployment
+                envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY}' < test/integration/manifests/cilium/daemonset.yaml | kubectl apply -f -
+                envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY}' < test/integration/manifests/cilium/deployment.yaml | kubectl apply -f -
                 kubectl get po -owide -A
                 echo "deploy ip-masq-agent for overlay"
                 kubectl create -f test/integration/manifests/ip-masq-agent/ip-masq-agent.yaml --validate=false

.pipelines/cni/cilium/nightly-release-test.yml

@@ -0,0 +1,54 @@
+pr: none
+trigger: none
+
+stages:
+  - stage: init
+    displayName: "Build and Push Cilium Image"
+    jobs:
+      - job: build_and_push_cilium_image
+        steps:
+          - bash: |
+              set -ex
+              cd .pipelines/
+              git clone https://github.com/cilium/cilium.git
+              cd cilium
+              make docker-cilium-image
+              make docker-operator-generic-image
+            name: BuildCiliumImage
+            displayName: "Build Cilium Image"
+          - task: Docker@2
+            displayName: Login
+            inputs:
+              containerRegistry: $(CONTAINER_REGISTRY)
+              command: "login"
+          - task: AzureCLI@1
+            inputs:
+              azureSubscription: $(TEST_SUB_SERVICE_CONNECTION)
+              scriptLocation: "inlineScript"
+              inlineScript: |
+                set -ex
+                docker tag quay.io/cilium/cilium:$(DOCKER_IMAGE_TAG) $(ACR).azurecr.io/cilium/cilium:$(DOCKER_IMAGE_TAG)
+                docker tag quay.io/cilium/operator-generic:$(DOCKER_IMAGE_TAG) $(ACR).azurecr.io/cilium/operator-generic:$(DOCKER_IMAGE_TAG)
+                docker push $(ACR).azurecr.io/cilium/cilium:$(DOCKER_IMAGE_TAG)
+                docker push $(ACR).azurecr.io/cilium/operator-generic:$(DOCKER_IMAGE_TAG)
+            name: "PushCiliumImage"
+            displayName: "Push Cilium Image"
+          - task: Docker@2
+            displayName: Logout
+            inputs:
+              containerRegistry: $(CONTAINER_REGISTRY)
+              command: "logout"
+  - stage: cilium_nightly
+    displayName: E2E - Cilium Nightly
+    variables:
+      GOPATH: "$(Agent.TempDirectory)/go" # Go workspace path
+      GOBIN: "$(GOPATH)/bin" # Go binaries path
+      modulePath: "$(GOPATH)/src/github.com/Azure/azure-container-networking"
+    jobs:
+      - job: cilium_nightly
+        steps:
+        - template: ../../singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml
+          parameters:
+            name: "cilium_nightly"
+            testDropgz: ""
+            clusterName: "ciliumnightly"

.pipelines/singletenancy/cilium-overlay/cilium-overlay-e2e-step-template.yaml

@@ -46,6 +46,7 @@ steps:
       sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
       kubectl cluster-info
       kubectl get po -owide -A
+      if [ "$CILIUM_VERSION_TAG" = "cilium-nightly-pipeline" ]; then FILE_PATH=-nightly && echo "Running nightly"; fi
       echo "deploy Cilium ConfigMap"
       kubectl apply -f cilium/configmap.yaml
       kubectl apply -f test/integration/manifests/cilium/cilium${FILE_PATH}-config.yaml

.pipelines/singletenancy/cilium/cilium-e2e-step-template.yaml

@@ -49,7 +49,9 @@ steps:
       echo "deploy Cilium ConfigMap"
       kubectl apply -f cilium/configmap.yaml
       kubectl apply -f test/integration/manifests/cilium/cilium-config.yaml
-      echo "install Cilium"
+      echo "install Cilium ${CILIUM_VERSION_TAG}"
+      envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY}' < test/integration/manifests/cilium/daemonset.yaml | kubectl apply -f -
+      envsubst '${CILIUM_VERSION_TAG},${CILIUM_IMAGE_REGISTRY}' < test/integration/manifests/cilium/deployment.yaml | kubectl apply -f -
       kubectl apply -f test/integration/manifests/cilium/cilium-agent
       kubectl apply -f test/integration/manifests/cilium/cilium-operator
       kubectl get po -owide -A
@@ -111,6 +113,15 @@ steps:
       pathtoPublish: "$(Build.ArtifactStagingDirectory)/test-output"
     condition: always()
 
+  - script: |              
+      kubectl get pods -A
+      echo "Waiting < 2 minutes for cilium to be ready"
+      # Ensure Cilium is ready Xm\Xs
+      cilium status --wait --wait-duration 2m
+    retryCountOnTaskFailure: 3
+    name: "CiliumStatus"
+    displayName: "Cilium Status" 
+    
   - script: |
       kubectl get pods -A
       echo "Waiting < 2 minutes for cilium to be ready"

test/integration/manifests/cilium/cilium-agent/clusterrole.yaml

@@ -71,6 +71,13 @@ rules:
   - create
 - apiGroups:
   - cilium.io
+  # To synchronize garbage collection of such resources
+  resources:
+  - ciliumidentities
+  verbs:
+  - update
+- apiGroups:
+  - cilium.io  
   resources:
   - ciliumendpoints
   verbs:

test/integration/manifests/cilium/cilium-nightly-agent/clusterrole.yaml

@@ -0,0 +1,104 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cilium
+rules:
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - networkpolicies
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - services
+  - pods
+  - endpoints
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - list
+  - watch
+  # This is used when validating policies in preflight. This will need to stay
+  # until we figure out how to avoid "get" inside the preflight, and then
+  # should be removed ideally.
+  - get
+- apiGroups:
+  - cilium.io
+  resources:
+  #Naming changed from ciliumbgploadbalancerippools
+  - ciliumloadbalancerippools
+  - ciliumbgppeeringpolicies
+  - ciliumclusterwideenvoyconfigs
+  - ciliumclusterwidenetworkpolicies
+  - ciliumegressgatewaypolicies
+  - ciliumendpoints
+  - ciliumendpointslices
+  - ciliumenvoyconfigs
+  - ciliumidentities
+  - ciliumlocalredirectpolicies
+  - ciliumnetworkpolicies
+  - ciliumnodes
+  - ciliumnodeconfigs
+  #Added in 1.14.0 snapshot 2
+  - ciliumcidrgroups
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumidentities
+  - ciliumendpoints
+  - ciliumnodes
+  verbs:
+  - create
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumidentities
+  verbs:
+  - update
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumendpoints
+  verbs:
+  - delete
+  - get
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumnodes
+  - ciliumnodes/status
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumnetworkpolicies/status
+  - ciliumclusterwidenetworkpolicies/status
+  - ciliumendpoints/status
+  - ciliumendpoints
+  verbs:
+  - patch

test/integration/manifests/cilium/cilium-nightly-agent/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cilium
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cilium
+subjects:
+- kind: ServiceAccount
+  name: "cilium"
+  namespace: kube-system

test/integration/manifests/cilium/cilium-nightly-agent/serviceaccount.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "cilium"
+  namespace: kube-system
+

test/integration/manifests/cilium/cilium-nightly-config.yaml

@@ -0,0 +1,89 @@
+apiVersion: v1
+data:
+  agent-not-ready-taint-key: node.cilium.io/agent-not-ready
+  arping-refresh-period: 30s
+  auto-direct-node-routes: "false"
+  bpf-lb-external-clusterip: "false"
+  bpf-lb-map-max: "65536"
+  bpf-lb-mode: snat
+  bpf-map-dynamic-size-ratio: "0.0025"
+  bpf-policy-map-max: "16384"
+  bpf-root: /sys/fs/bpf
+  cgroup-root: /run/cilium/cgroupv2
+  cilium-endpoint-gc-interval: 5m0s
+  cluster-id: "0"
+  cluster-name: default
+  debug: "false"
+  disable-cnp-status-updates: "true"
+  disable-endpoint-crd: "false"
+  enable-auto-protect-node-port-range: "true"
+  enable-bgp-control-plane: "false"
+  enable-bpf-clock-probe: "true"
+  enable-endpoint-health-checking: "false"
+  enable-endpoint-routes: "true"
+  enable-health-check-nodeport: "true"
+  enable-health-checking: "true"
+  enable-host-legacy-routing: "true"
+  enable-hubble: "false"
+  enable-ipv4: "true"
+  enable-ipv4-masquerade: "false"
+  enable-ipv6: "false"
+  enable-ipv6-masquerade: "false"
+  enable-k8s-terminating-endpoint: "true"
+  enable-l2-neigh-discovery: "true"
+  enable-l7-proxy: "false"
+  enable-local-node-route: "false"
+  enable-local-redirect-policy: "false"
+  enable-metrics: "true"
+  enable-policy: default
+  enable-remote-node-identity: "true"
+  enable-session-affinity: "true"
+  enable-svc-source-range-check: "true"
+  enable-vtep: "false"
+  enable-well-known-identities: "false"
+  enable-xt-socket-fallback: "true"
+  identity-allocation-mode: crd
+  install-iptables-rules: "true"
+  install-no-conntrack-iptables-rules: "false"
+  ipam: delegated-plugin
+  kube-proxy-replacement: strict
+  kube-proxy-replacement-healthz-bind-address: ""
+  local-router-ipv4: 169.254.23.0
+  metrics: +cilium_bpf_map_pressure
+  monitor-aggregation: medium
+  monitor-aggregation-flags: all
+  monitor-aggregation-interval: 5s
+  node-port-bind-protection: "true"
+  nodes-gc-interval: 5m0s
+  operator-api-serve-addr: 127.0.0.1:9234
+  operator-prometheus-serve-addr: :9963
+  preallocate-bpf-maps: "false"
+  procfs: /host/proc
+  prometheus-serve-addr: :9962
+  remove-cilium-node-taints: "true"
+  set-cilium-is-up-condition: "true"
+  sidecar-istio-proxy-image: cilium/istio_proxy
+  synchronize-k8s-nodes: "true"
+  tofqdns-dns-reject-response-code: refused
+  tofqdns-enable-dns-compression: "true"
+  tofqdns-endpoint-max-ip-per-hostname: "50"
+  tofqdns-idle-connection-grace-period: 0s
+  tofqdns-max-deferred-connection-deletes: "10000"
+  tofqdns-min-ttl: "3600"
+  tofqdns-proxy-response-max-delay: 100ms
+  #Replaces tunnel: disabled in v1.15
+  routing-mode: "native"
+  unmanaged-pod-watcher-interval: "15"
+  vtep-cidr: ""
+  vtep-endpoint: ""
+  vtep-mac: ""
+  vtep-mask: ""
+kind: ConfigMap
+metadata:
+  annotations:
+    meta.helm.sh/release-name: cilium
+    meta.helm.sh/release-namespace: kube-system
+  labels:
+    app.kubernetes.io/managed-by: Helm
+  name: cilium-config
+  namespace: kube-system