policy: Use timing-safe string comparison #1984

Workflow file for this run

.github/workflows/cilium-integration-tests.yaml at ac132a6

	name: Cilium Integration Tests
	on:
	push:
	branches:
	- main
	pull_request_target:
	types:
	- opened
	- reopened
	- synchronize
	branches:
	- main

	# By specifying the access of one of the scopes, all of those that are not specified are set to 'none'.
	permissions:
	# To be able to access the repository with actions/checkout
	contents: read
	# To allow writing PR comments and setting emojis
	pull-requests: write

	env:
	KIND_VERSION: v0.18.0
	CILIUM_REPO_OWNER: cilium
	CILIUM_REPO_REF: main
	CILIUM_CLI_REF: latest

	jobs:
	cilium-connectivity-tests:
	timeout-minutes: 360
	name: Cilium Connectivity Tests
	if: github.event_name == 'pull_request' \|\| github.event_name == 'pull_request_target'
	runs-on: ubuntu-latest
	steps:
	- name: Prepare variables for pushes to main
	if: github.event_name == 'push'
	run: \|
	echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy" >> $GITHUB_ENV
	echo "PROXY_TAG=${{ github.sha }}" >> $GITHUB_ENV
	echo "PROXY_GITHUB_REPO=github.com/cilium/proxy" >> $GITHUB_ENV

	- name: Prepare variables for PR
	if: github.event_name == 'pull_request' \|\| github.event_name == 'pull_request_target'
	run: \|
	echo "PROXY_IMAGE=quay.io/cilium/cilium-envoy-dev" >> $GITHUB_ENV
	echo "PROXY_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
	echo "PROXY_GITHUB_REPO=github.com/${{github.event.pull_request.head.repo.full_name}}" >> $GITHUB_ENV

	- name: Checkout Cilium ${{ env.CILIUM_REPO_REF }}
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
	with:
	repository: ${{ env.CILIUM_REPO_OWNER }}/cilium # Be aware that this is the Cilium repository and not the one of the proxy itself!
	ref: ${{ env.CILIUM_REPO_REF }}
	persist-credentials: false

	- name: Extracting Cilium version
	run: \|
	echo "CILIUM_IMAGE_TAG=v$(cat ./VERSION)" >> $GITHUB_ENV

	- name: Install Cilium CLI ${{ env.CILIUM_CLI_REF }}
	run: \|
	versionPattern="^v[0-9]+\.[0-9]+\.[0-9]+$"
	if [[ ${{ env.CILIUM_CLI_REF }} =~ $versionPattern ]]; then
	curl -sSL --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${{ env.CILIUM_CLI_REF }}/cilium-linux-amd64.tar.gz{,.sha256sum}
	sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
	sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
	rm cilium-linux-amd64.tar.gz{,.sha256sum}
	else
	cid=$(docker create quay.io/cilium/cilium-cli-ci:${{ env.CILIUM_CLI_REF }} ls)
	sudo docker cp $cid:/usr/local/bin/cilium /usr/local/bin
	docker rm $cid
	fi
	cilium version

	- name: Create kind cluster
	uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
	with:
	version: ${{ env.KIND_VERSION }}
	config: '.github/kind-config.yaml'
	cluster_name: 'kind'

	- name: Patch Cilium Agent Dockerfile
	shell: bash
	run: \|
	sed -i -E 's\|(ARG CILIUM_ENVOY_IMAGE=)(quay\.io\/cilium\/cilium-envoy:)(.)(@sha256:[0-9a-z])\|\1${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }}\|' ./images/cilium/Dockerfile
	cat ./images/cilium/Dockerfile
	if git diff --exit-code ./images/cilium/Dockerfile; then
	echo "Dockerfile not modified"
	exit 1
	fi

	- name: Install Go
	uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
	with:
	# renovate: datasource=golang-version depName=go
	go-version: 1.22.8

	- name: Redirect proxy module
	shell: bash
	if: env.PROXY_GITHUB_REPO != 'github.com/cilium/proxy'
	run: echo "replace github.com/cilium/proxy => ${{ env.PROXY_GITHUB_REPO }} ${{ env.PROXY_TAG }}" >> go.mod

	- name: Update proxy module
	shell: bash
	if: env.PROXY_GITHUB_REPO == 'github.com/cilium/proxy'
	run: go get ${{ env.PROXY_GITHUB_REPO }}@${{ env.PROXY_TAG }}

	- name: Vendor proxy module
	shell: bash
	run: \|
	go mod tidy && \
	go mod verify && \
	go mod vendor

	- name: Wait for Cilium Proxy image to be available
	timeout-minutes: 45
	shell: bash
	run: until docker manifest inspect ${{ env.PROXY_IMAGE }}:${{ env.PROXY_TAG }} &> /dev/null; do sleep 15s; done

	- name: Build Cilium Agent & Operator with patched Cilium Proxy Image
	shell: bash
	run: DOCKER_IMAGE_TAG=${{ env.CILIUM_IMAGE_TAG }} make docker-cilium-image docker-operator-generic-image

	- name: Load Cilium Images into kind
	shell: bash
	run: \|
	kind load docker-image \
	--name kind \
	quay.io/cilium/operator-generic:${{ env.CILIUM_IMAGE_TAG }} \
	quay.io/cilium/cilium:${{ env.CILIUM_IMAGE_TAG }}

	- name: Install Cilium
	timeout-minutes: 10
	shell: bash
	run: \|
	cilium install \
	--chart-directory install/kubernetes/cilium \
	--helm-set bpf.monitorAggregation=none \
	--helm-set loadBalancer.l7.backend=envoy \
	--helm-set tls.secretsBackend=k8s \
	--helm-set image.repository=quay.io/cilium/cilium \
	--helm-set image.tag=${{ env.CILIUM_IMAGE_TAG }} \
	--helm-set image.useDigest=false \
	--helm-set image.pullPolicy=Never \
	--helm-set operator.image.repository=quay.io/cilium/operator \
	--helm-set operator.image.suffix= \
	--helm-set operator.image.tag=${{ env.CILIUM_IMAGE_TAG }} \
	--helm-set operator.image.useDigest=false \
	--helm-set operator.image.pullPolicy=Never \
	--helm-set debug.enabled=true \
	--helm-set debug.verbose=envoy

	cilium hubble enable
	cilium status --wait
	cilium hubble port-forward&

	- name: Execute Cilium L7 Connectivity Tests
	shell: bash
	run: cilium connectivity test --test=l7

	- name: Gather Cilium system dump
	if: failure()
	shell: bash
	run: cilium sysdump --output-filename cilium-integration-test-sysdump


	- name: Upload Cilium system dump
	if: failure()
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: cilium-integration-test-sysdump
	path: cilium-integration-test-sysdump.zip
	retention-days: 5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

policy: Use timing-safe string comparison #1984

Workflow file

policy: Use timing-safe string comparison #1984

Jobs

Run details

Workflow file for this run