Skip to content

[WIP] Test Cilium 4.20-dev with KubeVirt#81428

Open
mgencur wants to merge 7 commits into
openshift:mainfrom
mgencur:cilium_kubevirt_mgmt_4.22_cilium_4.20
Open

[WIP] Test Cilium 4.20-dev with KubeVirt#81428
mgencur wants to merge 7 commits into
openshift:mainfrom
mgencur:cilium_kubevirt_mgmt_4.22_cilium_4.20

Conversation

@mgencur

@mgencur mgencur commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

This PR updates OpenShift CI’s Cilium-enabled KubeVirt/HyperShift workflows to install Cilium more directly during cluster day-0 setup, make the Cilium chart/CLI inputs configurable, and align conformance networking behavior with Cilium.

Practically, it:

  • Reworks the Cilium configuration step (ci-operator/step-registry/cilium/conf/*) to generate day-0 CNI manifests via cilium install --dry-run (instead of downloading/unpacking OLM manifests), parameterizing CILIUM_VERSION, CILIUM_REPOSITORY, and CILIUM_CLI_VERSION via environment variables.
  • Produces and stages the required manifest set for the cluster run (Cilium namespace, CNI override ConfigMap, and a DNS-to-kube-apiserver CiliumNetworkPolicy), and applies the needed OpenShift privileged SCC binding for installation.
  • Adjusts tunnel porting to accommodate distinct management vs hosted cluster requirements: uses tunnelPort=4790 in the management setup and tunnelPort=4789 for the hosted/extended Hypershift path.
  • Updates HyperShift KubeVirt conformance workflows (ci-operator/step-registry/hypershift/kubevirt/...) to run the new Cilium config step, include cilium-dump in teardown, switch the installed network type from OVNKubernetes to Cilium, and refine TEST_SKIPS to match updated Cilium/network-policy expectations.
  • Adds/configures chart repository/version inputs in the related cucushift extended Cilium step (ci-operator/step-registry/cucushift/hypershift-extended/cilium/*) so the cilium install command uses --repository "${CILIUM_REPOSITORY}" (defaulting to oci://quay.io/cilium/charts/cilium), and updates associated skip patterns in the MCE metal3 conformance workflow.

mgencur and others added 5 commits July 3, 2026 07:28
Replace deprecated isovalent/olm-for-cilium OLM manifest download with
cilium CLI's install --dry-run to generate day-0 manifests. This aligns
with the cucushift reference script's approach while preserving the
day-0 nature of the step (manifests stored in SHARED_DIR for installer).

Changes:
- Download cilium CLI v0.19.2 and use it to render Helm chart manifests
- Add cniVersion override ConfigMap manifest (OCPBUGS-86033 workaround)
- Add SCC ClusterRoleBinding for cilium service accounts
- Update CILIUM_VERSION from 1.13.9 to 1.19.4
- Add CILIUM_CLI_VERSION env var (default 0.19.2) to ref.yaml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add "deny ingress access to updated pod" test to the skip list in both
kubevirt-baremetalds-conformance-cilium and
mce-agent-metal3-conformance-cilium
workflows. The test is flaky where Cilium reacts more slowly than OVN
Kubernetes and this test is sensitive for timing. Some other tests for
Network policies were skipped in the past as well, so adding one more to
this category is probably not a big deal (low priority). See
https://redhat.atlassian.net/browse/OCPQE-28785 for the details why the
original ones were disabled.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ev build

Add CILIUM_REPOSITORY env var to allow overriding the Helm chart source,
enabling testing with development builds from cilium-charts-dev. Update
the kubevirt-baremetalds-conformance-cilium workflow to use Cilium
1.20.0-dev for validating KubeVirt fixes ahead of the stable release.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 3, 2026
@openshift-ci openshift-ci Bot requested review from csrwng and jtaleric July 3, 2026 07:39
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fc710f28-707e-4591-bf36-e235f0eed616

📥 Commits

Reviewing files that changed from the base of the PR and between b30f760 and 7d70ad2.

📒 Files selected for processing (4)
  • ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
  • ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml
  • ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-commands.sh
  • ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml
✅ Files skipped from review due to trivial changes (1)
  • ci-operator/step-registry/cucushift/hypershift-extended/cilium/cucushift-hypershift-extended-cilium-ref.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh

Walkthrough

Replaces Cilium OLM manifest installation with a cilium-cli --dry-run manifest generation flow, adds configurable Cilium repository/version inputs, and updates two conformance workflows to use the new step, Cilium networking, and revised test skips.

Changes

Cilium manifest generation and workflow wiring

Layer / File(s) Summary
Configurable Cilium inputs
ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh, ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml, ci-operator/step-registry/cucushift/hypershift-extended/cilium/*
Adds defaulted Cilium repository/version inputs and updates the step reference and command wiring to use the configurable repository value.
Dry-run manifest generation
ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
Downloads cilium-cli, writes base manifests, runs cilium install --dry-run, and splits the resulting YAML into per-manifest files in SHARED_DIR.
Workflow updates
ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml, ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml
Updates the kubevirt baremetalds workflow pre/post chains, environment, skips, and network type, and adds a new ingress-denial skip to the MCE agent metal3 workflow.

Estimated code review effort: 3 (Moderate) | ~25 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
Container-Privileges ❌ Error cilium-conf-commands.sh generates manifest_cilium-00-scc-privileged.yaml, a ClusterRoleBinding to system:openshift:scc:privileged for Cilium SAs. Remove the privileged SCC binding or replace it with the least-privileged SCC needed, and add a clear justification if privileged access is unavoidable.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the PR’s main goal of testing Cilium with KubeVirt, even if the exact version details differ.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only a shell step script changed; no Ginkgo It/Describe/Context/When titles were added or modified, so no unstable test names are present.
Test Structure And Quality ✅ Passed Only ci-operator step-registry shell script changed; no Ginkgo test code or It/BeforeEach/Eventually patterns were touched.
Microshift Test Compatibility ✅ Passed Only a shell script changed; no new Ginkgo tests or MicroShift-unsupported APIs/features were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e test code was added; the PR only touches step-registry shell/YAML workflow config, with no It/Describe/Context additions.
Topology-Aware Scheduling Compatibility ✅ Passed No new topology-sensitive scheduling constraints were added; the PR only updates CI step scripts/workflows and contains no affinity, nodeSelector, or replica logic.
Ote Binary Stdout Contract ✅ Passed Only a tunnelPort value changed in a shell step script; no new process-level stdout writes or binary entrypoints were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only change is tunnelPort 4789→4790 in an already IPv4/connected workflow; no new Ginkgo test bodies or IPv6/disconnected assumptions were added.
No-Weak-Crypto ✅ Passed Touched Cilium scripts/YAMLs only add version/config tweaks; searches found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret/token comparisons.
No-Sensitive-Data-In-Logs ✅ Passed No new logging of secrets/PII found; only benign echoes, and proxy config is sourced before set -x in the script that handles it.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@mgencur

mgencur commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-kubevirt-metal-conformance-cilium

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml`:
- Around line 11-17: The Cilium defaults in cilium-conf are mismatched:
CILIUM_VERSION points to a dev build while CILIUM_REPOSITORY still targets the
stable chart repo. Update the default repository in the CILIUM_REPOSITORY entry
to the dev charts location, or change the CILIUM_VERSION default to a released
chart so the two defaults stay in sync. Use the CILIUM_VERSION and
CILIUM_REPOSITORY definitions in the cilium-conf ref to make the adjustment.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 876fbb72-727a-480a-ad53-681a6b505197

📥 Commits

Reviewing files that changed from the base of the PR and between 5276f25 and b30f760.

📒 Files selected for processing (4)
  • ci-operator/step-registry/cilium/conf/cilium-conf-commands.sh
  • ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml
  • ci-operator/step-registry/hypershift/kubevirt/baremetalds/conformance-cilium/hypershift-kubevirt-baremetalds-conformance-cilium-workflow.yaml
  • ci-operator/step-registry/hypershift/mce/agent/metal3/conformance/cilium/hypershift-mce-agent-metal3-conformance-cilium-workflow.yaml

Comment thread ci-operator/step-registry/cilium/conf/cilium-conf-ref.yaml Outdated
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

mgencur and others added 2 commits July 3, 2026 14:40
…le in cucushift step

Dev version 1.20.0-dev not found in quay.io/cilium/charts. Revert to
1.19.4 and add CILIUM_REPOSITORY env var to cucushift cilium ref.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Must be different from the port on hosted cluster in case of KubeVirt
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mgencur
Once this PR has been reviewed and has the lgtm label, please assign jtaleric for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@mgencur: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
periodic-ci-openshift-release-main-ci-4.8-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.20-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.18-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.22-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.20-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.21-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.12-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-5.0-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.17-e2e-aws-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.13-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.10-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.15-amd64-nightly-aws-rosa-hcp-capi-private-stage-f60 N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.16-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aws-conformance-cilium-private N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.17-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.14-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.21-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-kubevirt-metal-conformance-cilium N/A periodic Registry content changed
periodic-ci-openshift-hypershift-release-4.19-periodics-e2e-aws-conformance-cilium-private N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.16-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.17-e2e-azure-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.22-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.15-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.19-e2e-gcp-cilium N/A periodic Registry content changed
periodic-ci-openshift-release-main-ci-4.19-e2e-aws-cilium N/A periodic Registry content changed

A total of 71 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@mgencur

mgencur commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

/pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-kubevirt-metal-conformance-cilium

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

@mgencur: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@mgencur: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/rehearse/periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-kubevirt-metal-conformance-cilium 7d70ad2 link unknown /pj-rehearse periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-kubevirt-metal-conformance-cilium

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant