Skip to content

Commit

Permalink
Add calico rules script and update workflow files
Browse files Browse the repository at this point in the history
  • Loading branch information
@ykim-1
ykim-1 committed Jun 12, 2024
1 parent fe57a21 commit 07ba670
Show file tree
Hide file tree
Showing 4 changed files with 166 additions and 0 deletions.
14 changes: 14 additions & 0 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,14 @@ jobs:
- name: Install Python deps
run: pip3 install requests wheel boto3

- name: Download kubectl and calicoctl for LKE clusters
run: |
curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl"
curl -LO "https://github.com/projectcalico/calico/releases/download/v3.25.0/calicoctl-linux-amd64"
chmod +x calicoctl-linux-amd64 kubectl
mv calicoctl-linux-amd64 /usr/local/bin/calicoctl
mv kubectl /usr/local/bin/kubectl
- name: Install go-junit-report
run: go install github.com/jstemmer/go-junit-report/v2@latest

Expand All @@ -64,6 +72,12 @@ jobs:
env:
SKIP_LINT: 1

- name: Apply Calico Rules to LKE
run: |
cd scripts && ./lke_calico_rules_e2e.sh
env:
LINODE_TOKEN: ${{ secrets.DX_LINODE_TOKEN }}

- name: Upload test results to bucket
if: github.ref == 'refs/heads/main' && github.event_name == 'push' && always()
run: |
Expand Down
14 changes: 14 additions & 0 deletions .github/workflows/integration_tests_pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,14 @@ jobs:
with:
ref: ${{ inputs.sha }}

- name: Download kubectl and calicoctl for LKE clusters
run: |
curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl"
curl -LO "https://github.com/projectcalico/calico/releases/download/v3.25.0/calicoctl-linux-amd64"
chmod +x calicoctl-linux-amd64 kubectl
mv calicoctl-linux-amd64 /usr/local/bin/calicoctl
mv kubectl /usr/local/bin/kubectl
- run: make ARGS="-run ${{ inputs.module }}" fixtures
if: ${{ inputs.module != '' && steps.disallowed-char-check.outputs.match == '' }}
env:
Expand All @@ -44,6 +52,12 @@ jobs:
if: ${{ inputs.module == '' }}
env:
LINODE_TOKEN: ${{ secrets.DX_LINODE_TOKEN }}

- name: Apply Calico Rules to LKE
run: |
cd scripts && ./lke_calico_rules_e2e.sh
env:
LINODE_TOKEN: ${{ secrets.DX_LINODE_TOKEN }}

- name: Get the hash value of the latest commit from the PR branch
uses: octokit/[email protected]
Expand Down
78 changes: 78 additions & 0 deletions scripts/lke-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: lke-rules
spec:
preDNAT: true
applyOnForward: true
order: 100
# Remember to run calicoctl patch command for this to work
selector: ""
ingress:
# Allow ICMP
- action: Allow
protocol: ICMP
- action: Allow
protocol: ICMPv6

# Allow LKE-required ports
- action: Allow
protocol: TCP
destination:
nets:
- 192.168.128.0/17
- 10.0.0.0/8
ports:
- 10250
- 10256
- 179
- action: Allow
protocol: UDP
destination:
nets:
- 192.168.128.0/17
- 10.2.0.0/16
ports:
- 51820

# Allow NodeBalancer ingress to the Node Ports & Allow DNS
- action: Allow
protocol: TCP
source:
nets:
- 192.168.255.0/24
- 10.0.0.0/8
destination:
ports:
- 53
- 30000:32767
- action: Allow
protocol: UDP
source:
nets:
- 192.168.255.0/24
- 10.0.0.0/8
destination:
ports:
- 53
- 30000:32767

# Allow cluster internal communication
- action: Allow
destination:
nets:
- 10.0.0.0/8
- action: Allow
source:
nets:
- 10.0.0.0/8

# 127.0.0.1/32 is needed for kubectl exec and node-shell
- action: Allow
destination:
nets:
- 127.0.0.1/32

# Block everything else
- action: Deny
- action: Log
60 changes: 60 additions & 0 deletions scripts/lke_calico_rules_e2e.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
#!/bin/bash

RETRIES=3
DELAY=30

# Function to retry a command with exponential backoff
retry_command() {
local retries=$1
local wait_time=60
shift
until "$@"; do
if ((retries == 0)); then
echo "Command failed after multiple retries. Exiting."
exit 1
fi
echo "Command failed. Retrying in $wait_time seconds..."
sleep $wait_time
((retries--))
wait_time=$((wait_time * 2))
done
}

# Fetch the list of LKE cluster IDs
CLUSTER_IDS=$(curl -s -H "Authorization: Bearer $LINODE_TOKEN" \
-H "Content-Type: application/json" \
"https://api.linode.com/v4/lke/clusters" | jq -r '.data[].id')

# Check if CLUSTER_IDS is empty
if [ -z "$CLUSTER_IDS" ]; then
echo "All clusters have been cleaned and properly destroyed. No need to apply inbound or outbound rules"
exit 0
fi

for ID in $CLUSTER_IDS; do
echo "Applying Calico rules to nodes in Cluster ID: $ID"

# Download cluster configuration file with retry
for ((i=1; i<=RETRIES; i++)); do
config_response=$(curl -sH "Authorization: Bearer $LINODE_TOKEN" "https://api.linode.com/v4/lke/clusters/$ID/kubeconfig")
if [[ $config_response != *"kubeconfig is not yet available"* ]]; then
echo $config_response | jq -r '.[] | @base64d' > "/tmp/${ID}_config.yaml"
break
fi
echo "Attempt $i to download kubeconfig for cluster $ID failed. Retrying in $DELAY seconds..."
sleep $DELAY
done

if [[ $config_response == *"kubeconfig is not yet available"* ]]; then
echo "kubeconfig for cluster id:$ID not available after $RETRIES attempts, mostly likely it is an empty cluster. Skipping..."
else
# Export downloaded config file
export KUBECONFIG="/tmp/${ID}_config.yaml"

retry_command $RETRIES kubectl get nodes

retry_command $RETRIES calicoctl patch kubecontrollersconfiguration default --allow-version-mismatch --patch='{"spec": {"controllers": {"node": {"hostEndpoint": {"autoCreate": "Enabled"}}}}}'

retry_command $RETRIES calicoctl apply --allow-version-mismatch -f "$(pwd)/lke-policy.yaml"
fi
done

0 comments on commit 07ba670

Please sign in to comment.