[CI] Fix NetworkPolicy tests on Clouds (#4064)

GKE's cluster version now defaults to v1.24.1, which no longer creates secret for service account automatically, the verification in old test cases would fail. This patch makes the test determine conformance container image version based on the cluster's version to avoid such issue. However, the test suite Netpol introduced in new conformance image uses a Namespace creation function which is not robust, leanding to random test failures in GKE test. This patch skips it temporarily. Besides, legacy NetworkPolicy tests for AKS and EKS have been skipped by mistake for a while because of a conflicting skip regex. This patch fixes it. For #3762 Signed-off-by: Quan Tian <qtian@vmware.com>
antrea-io · Aug 9, 2022 · 024254d · 024254d
1 parent 9f0392d
commit 024254d
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 11 deletions.
diff --git a/ci/test-conformance-aks.sh b/ci/test-conformance-aks.sh
@@ -247,10 +247,14 @@ function run_conformance() {
     echo "=== Running Antrea Conformance and Network Policy Tests ==="
     # Skip NodePort related cases for AKS since as Nodes in AKS cluster seem not accessible from other Nodes
     # through public IPs by default. See https://github.com/antrea-io/antrea/issues/2409
-    skip_regex="\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:.+\]|\[sig-cli\]|\[sig-storage\]|\[sig-auth\]|\[sig-api-machinery\]|\[sig-apps\]|\[sig-node\]|NodePort"
-    ${GIT_CHECKOUT_DIR}/ci/run-k8s-e2e-tests.sh --e2e-conformance --e2e-network-policy --e2e-skip ${skip_regex} \
+    skip_regex="\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:.+\]|\[sig-cli\]|\[sig-storage\]|\[sig-auth\]|\[sig-api-machinery\]|\[sig-apps\]|\[sig-node\]|\[sig-instrumentation\]|NodePort"
+    ${GIT_CHECKOUT_DIR}/ci/run-k8s-e2e-tests.sh --e2e-conformance --e2e-skip ${skip_regex} \
       --kube-conformance-image-version ${KUBE_CONFORMANCE_IMAGE_VERSION} \
-      --log-mode ${MODE} > ${GIT_CHECKOUT_DIR}/aks-test.log || TEST_SCRIPT_RC=$?
+      --log-mode ${MODE} > ${GIT_CHECKOUT_DIR}/aks-test.log && \
+    ${GIT_CHECKOUT_DIR}/ci/run-k8s-e2e-tests.sh --e2e-network-policy --e2e-skip "Netpol" \
+      --kube-conformance-image-version ${KUBE_CONFORMANCE_IMAGE_VERSION} \
+      --log-mode ${MODE} >> ${GIT_CHECKOUT_DIR}/aks-test.log || \
+    TEST_SCRIPT_RC=$?
 
     if [[ $TEST_SCRIPT_RC -eq 0 ]]; then
         echo "All tests passed."

diff --git a/ci/test-conformance-eks.sh b/ci/test-conformance-eks.sh
@@ -262,10 +262,14 @@ function run_conformance() {
 
     # Skip NodePort related cases for EKS since by default eksctl does not create security groups for nodeport service
     # access through node external IP. See https://github.com/antrea-io/antrea/issues/690
-    skip_regex="\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:.+\]|\[sig-cli\]|\[sig-storage\]|\[sig-auth\]|\[sig-api-machinery\]|\[sig-apps\]|\[sig-node\]|NodePort"
-    ${GIT_CHECKOUT_DIR}/ci/run-k8s-e2e-tests.sh --e2e-conformance --e2e-network-policy --e2e-skip ${skip_regex} \
-       --kube-conformance-image-version ${KUBE_CONFORMANCE_IMAGE_VERSION} \
-       --log-mode ${MODE} > ${GIT_CHECKOUT_DIR}/eks-test.log || TEST_SCRIPT_RC=$?
+    skip_regex="\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:.+\]|\[sig-cli\]|\[sig-storage\]|\[sig-auth\]|\[sig-api-machinery\]|\[sig-apps\]|\[sig-node\]|\[sig-instrumentation\]|NodePort"
+    ${GIT_CHECKOUT_DIR}/ci/run-k8s-e2e-tests.sh --e2e-conformance --e2e-skip ${skip_regex} \
+      --kube-conformance-image-version ${KUBE_CONFORMANCE_IMAGE_VERSION} \
+      --log-mode ${MODE} > ${GIT_CHECKOUT_DIR}/eks-test.log && \
+    ${GIT_CHECKOUT_DIR}/ci/run-k8s-e2e-tests.sh --e2e-network-policy --e2e-skip "Netpol" \
+      --kube-conformance-image-version ${KUBE_CONFORMANCE_IMAGE_VERSION} \
+      --log-mode ${MODE} >> ${GIT_CHECKOUT_DIR}/eks-test.log || \
+    TEST_SCRIPT_RC=$?
 
     if [[ $TEST_SCRIPT_RC -eq 0 ]]; then
         echo "All tests passed."

diff --git a/ci/test-conformance-gke.sh b/ci/test-conformance-gke.sh
@@ -31,8 +31,7 @@ RUN_ALL=true
 RUN_SETUP_ONLY=false
 RUN_CLEANUP_ONLY=false
 TEST_SCRIPT_RC=0
-# There is a problem with the netpol suite added in v1.21.0 when running on GKE. See #3762 for details.
-KUBE_CONFORMANCE_IMAGE_VERSION=v1.20.15
+KUBE_CONFORMANCE_IMAGE_VERSION=auto
 
 _usage="Usage: $0 [--cluster-name <GKEClusterNameToUse>]  [--kubeconfig <KubeconfigSavePath>] [--k8s-version <ClusterVersion>] \
                   [--svc-account <Name>] [--user <Name>] [--gke-project <Project>] [--gke-zone <Zone>] [--log-mode <SonobuoyResultLogLevel>] \
@@ -262,9 +261,15 @@ function run_conformance() {
     # Allow nodeport traffic by external IP
     ${GCLOUD_PATH} compute firewall-rules create allow-nodeport --allow tcp:30000-32767
 
-    ${GIT_CHECKOUT_DIR}/ci/run-k8s-e2e-tests.sh --e2e-conformance --e2e-network-policy \
+    ${GIT_CHECKOUT_DIR}/ci/run-k8s-e2e-tests.sh --e2e-conformance \
       --kube-conformance-image-version ${KUBE_CONFORMANCE_IMAGE_VERSION} \
-      --log-mode ${MODE} > ${GIT_CHECKOUT_DIR}/gke-test.log || TEST_SCRIPT_RC=$?
+      --log-mode ${MODE} > ${GIT_CHECKOUT_DIR}/gke-test.log && \
+   # Skip Netpol tests for GKE as the test suite's Namespace creation function is not robust, which leads to test
+   # failures. See https://github.com/antrea-io/antrea/issues/3762#issuecomment-1195865441.
+    ${GIT_CHECKOUT_DIR}/ci/run-k8s-e2e-tests.sh --e2e-network-policy --e2e-skip "Netpol" \
+      --kube-conformance-image-version ${KUBE_CONFORMANCE_IMAGE_VERSION} \
+      --log-mode ${MODE} >> ${GIT_CHECKOUT_DIR}/gke-test.log || \
+    TEST_SCRIPT_RC=$?
 
     if [[ $TEST_SCRIPT_RC -eq 0 ]]; then
         echo "All tests passed."