ovn db: add support for listening on pod ip (#2235)

* Revert "ovn nb and sb can't bind lan ip in ssl (#2200)"

This reverts commit c0d76fd.

* ovn db: listen to pod ip

* add e2e

* code optimization

.github/workflows/build-x86-image.yaml

@@ -534,8 +534,8 @@ jobs:
         run: make kube-ovn-ic-conformance-e2e
 
   chart-installation-test:
-    needs: build-kube-ovn
     name: Chart Installation Test
+    needs: build-kube-ovn
     runs-on: ubuntu-22.04
     timeout-minutes: 30
     steps:
@@ -573,45 +573,9 @@ jobs:
       - name: Cleanup
         run: sh dist/images/cleanup.sh
 
-  ha-installation-test:
-    needs: build-kube-ovn
-    name: HA Installation Test
-    runs-on: ubuntu-22.04
-    timeout-minutes: 30
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Install kind
-        run: |
-          curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-$(uname)-amd64
-          chmod +x ./kind
-          sudo mv kind /usr/local/bin
-
-      - name: Download image
-        uses: actions/download-artifact@v3
-        with:
-          name: kube-ovn
-
-      - name: Load image
-        run: docker load --input kube-ovn.tar
-
-      - name: Create kind cluster
-        run: |
-          sudo pip3 install j2cli
-          sudo pip3 install "j2cli[yaml]"
-          sudo PATH=~/.local/bin:$PATH make kind-init-ha
-          sudo cp -r /root/.kube/ ~/.kube/
-          sudo chown -R $(id -un). ~/.kube/
-
-      - name: Install Kube-OVN
-        run: sudo ENABLE_SSL=true make kind-install
-
-      - name: Cleanup
-        run: sh dist/images/cleanup.sh
-
   underlay-logical-gateway-installation-test:
-    needs: build-kube-ovn
     name: Underlay Logical Gateway Installation Test
+    needs: build-kube-ovn
     runs-on: ubuntu-22.04
     timeout-minutes: 30
     steps:
@@ -646,8 +610,8 @@ jobs:
         run: sh dist/images/cleanup.sh
 
   no-ovn-lb-test:
-    needs: build-kube-ovn
     name: Disable OVN LB Test
+    needs: build-kube-ovn
     runs-on: ubuntu-22.04
     timeout-minutes: 30
     steps:
@@ -684,8 +648,8 @@ jobs:
         run: sh dist/images/cleanup.sh
 
   no-np-test:
-    needs: build-kube-ovn
     name: Disable Network Policy Test
+    needs: build-kube-ovn
     runs-on: ubuntu-22.04
     timeout-minutes: 30
     steps:
@@ -722,10 +686,10 @@ jobs:
         run: sh dist/images/cleanup.sh
 
   lb-svc-e2e:
+    name: LB Service E2E
     needs:
       - build-kube-ovn
       - build-vpc-nat-gateway
-    name: LB Service E2E
     runs-on: ubuntu-22.04
     timeout-minutes: 30
     steps:
@@ -811,8 +775,8 @@ jobs:
         run: make kube-ovn-lb-svc-conformance-e2e
 
   installation-compatibility-test:
-    needs: build-kube-ovn
     name: Installation Compatibility Test
+    needs: build-kube-ovn
     runs-on: ubuntu-22.04
     timeout-minutes: 10
     steps:
@@ -847,8 +811,8 @@ jobs:
         run: sh dist/images/cleanup.sh
 
   cilium-chaining-e2e:
-    needs: build-kube-ovn
     name: Cilium Chaining E2E
+    needs: build-kube-ovn
     runs-on: ubuntu-22.04
     timeout-minutes: 30
     steps:
@@ -934,7 +898,106 @@ jobs:
       - name: Cleanup
         run: sh dist/images/cleanup.sh
 
+  kube-ovn-security-e2e:
+    name: Kube-OVN Security E2E
+    needs: build-kube-ovn
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        ssl:
+          - "true"
+          - "false"
+        bind-local:
+          - "true"
+          - "false"
+        ip-family:
+          - ipv4
+          - ipv6
+          - dual
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Create the default branch directory
+        run: mkdir -p test/e2e/source
+
+      - name: Check out the default branch
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          fetch-depth: 1
+          path: test/e2e/source
+
+      - name: Export E2E directory
+        run: |
+          if [ '${{ github.base_ref || github.ref_name }}' = '${{ github.event.repository.default_branch }}' ]; then
+            echo "E2E_DIR=." >> "$GITHUB_ENV"
+          else
+            echo "E2E_DIR=test/e2e/source" >> "$GITHUB_ENV"
+          fi
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '${{ env.GO_VERSION }}'
+          check-latest: true
+        id: go
+
+      - name: Export Go full version
+        run: echo "GO_FULL_VER=$(go version | awk '{print $3}')" >> "$GITHUB_ENV"
+
+      - name: Go cache
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles('${{ env.E2E_DIR }}/**/go.sum') }}
+          restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-
+
+      - name: Build e2e binaries
+        working-directory: ${{ env.E2E_DIR }}
+        run: make e2e-compile
+
+      - name: Install kind
+        run: |
+          curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-$(uname)-amd64
+          chmod +x ./kind
+          sudo mv kind /usr/local/bin
+
+      - name: Download image
+        uses: actions/download-artifact@v3
+        with:
+          name: kube-ovn
+
+      - name: Load image
+        run: docker load --input kube-ovn.tar
+
+      - name: Create kind cluster
+        run: |
+          sudo pip3 install j2cli
+          sudo pip3 install "j2cli[yaml]"
+          sudo PATH=~/.local/bin:$PATH make kind-init-ha-${{ matrix.ip-family }}
+          sudo cp -r /root/.kube/ ~/.kube/
+          sudo chown -R $(id -un). ~/.kube/
+
+      - name: Install Kube-OVN
+        run: |
+          sudo ENABLE_SSL=${{ matrix.ssl }} ENABLE_BIND_LOCAL_IP=${{ matrix.bind-local }} \
+            make kind-install-${{ matrix.ip-family }}
+
+      - name: Run E2E
+        working-directory: ${{ env.E2E_DIR }}
+        env:
+          E2E_BRANCH: ${{ github.base_ref || github.ref_name }}
+          E2E_IP_FAMILY: ${{ matrix.ip-family }}
+        run: make kube-ovn-security-e2e
+
+      - name: Cleanup
+        run: sh dist/images/cleanup.sh
+
   push:
+    name: Push Images
     needs:
       - build-centos-compile
       - k8s-conformance-e2e
@@ -943,14 +1006,13 @@ jobs:
       - kube-ovn-conformance-e2e
       - kube-ovn-ic-conformance-e2e
       - lb-svc-e2e
-      - ha-installation-test
       - underlay-logical-gateway-installation-test
       - chart-installation-test
       - installation-compatibility-test
       - no-ovn-lb-test
       - no-np-test
       - cilium-chaining-e2e
-    name: push
+      - kube-ovn-security-e2e
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v3

.github/workflows/scheduled-e2e.yaml

@@ -394,10 +394,6 @@ jobs:
       fail-fast: false
       matrix:
         branch:
-          - master
-          - release-1.11
-          - release-1.10
-          - release-1.9
           - release-1.8
     steps:
       - uses: actions/checkout@v3
@@ -799,6 +795,91 @@ jobs:
         working-directory: test/e2e/kube-ovn/branches/${{ matrix.branch }}
         run: sh dist/images/cleanup.sh
 
+  kube-ovn-security-e2e:
+    name: Kube-OVN Security E2E
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        branch:
+          - master
+          - release-1.11
+          - release-1.10
+          - release-1.9
+        ssl:
+          - "true"
+          - "false"
+        bind-local:
+          - "true"
+          - "false"
+        ip-family:
+          - ipv4
+          - ipv6
+          - dual
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '${{ env.GO_VERSION }}'
+          check-latest: true
+        id: go
+
+      - name: Export Go full version
+        run: echo "GO_FULL_VER=$(go version | awk '{print $3}')" >> "$GITHUB_ENV"
+
+      - name: Go cache
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-e2e-${{ env.GO_FULL_VER }}-x86-
+
+      - name: Create branch directory
+        run: mkdir -p test/e2e/kube-ovn/branches/${{ matrix.branch }}
+
+      - name: Check out branch
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ matrix.branch }}
+          fetch-depth: 1
+          path: test/e2e/kube-ovn/branches/${{ matrix.branch }}
+
+      - name: Install kind
+        run: |
+          curl -Lo ./kind https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-$(uname)-amd64
+          chmod +x ./kind
+          sudo mv kind /usr/local/bin
+
+      - name: Create kind cluster
+        working-directory: test/e2e/kube-ovn/branches/${{ matrix.branch }}
+        run: |
+          sudo pip3 install j2cli
+          sudo pip3 install "j2cli[yaml]"
+          sudo PATH=~/.local/bin:$PATH make kind-init-ha-${{ matrix.ip-family }}
+          sudo cp -r /root/.kube/ ~/.kube/
+          sudo chown -R $(id -un). ~/.kube/
+
+      - name: Install Kube-OVN
+        working-directory: test/e2e/kube-ovn/branches/${{ matrix.branch }}
+        run: |
+          version=$(grep -E '^VERSION="v([0-9]+\.){2}[0-9]+"$' dist/images/install.sh | head -n1 | awk -F= '{print $2}' | tr -d '"')
+          docker pull kubeovn/kube-ovn:$version
+          sudo VERSION=$version ENABLE_SSL=${{ matrix.ssl }} \
+            ENABLE_BIND_LOCAL_IP=${{ matrix.bind-local }} \
+            make kind-install-${{ matrix.ip-family }}
+
+      - name: Run E2E
+        env:
+          E2E_BRANCH: ${{ matrix.branch }}
+          E2E_IP_FAMILY: ${{ matrix.ip-family }}
+        run: make kube-ovn-security-e2e
+
+      - name: Cleanup
+        run: sh dist/images/cleanup.sh
+
   helm-direct-upgrade-e2e:
     name: Helm Upgrade E2E
     runs-on: ubuntu-22.04

Makefile

@@ -245,9 +245,20 @@ kind-init-iptables:
 	@kube_proxy_mode=iptables $(MAKE) kind-init
 
 .PHONY: kind-init-ha
-kind-init-ha:
+kind-init-ha: kind-init-ha-ipv4
+
+.PHONY: kind-init-ha-ipv4
+kind-init-ha-ipv4:
 	@ha=true $(MAKE) kind-init
 
+.PHONY: kind-init-ha-ipv6
+kind-init-ha-ipv6:
+	@ip_family=ipv6 $(MAKE) kind-init-ha
+
+.PHONY: kind-init-ha-dual
+kind-init-ha-dual:
+	@ip_family=dual $(MAKE) kind-init-ha
+
 .PHONY: kind-init-single
 kind-init-single:
 	@single=true $(MAKE) kind-init

Makefile.e2e

@@ -30,6 +30,7 @@ e2e-compile:
 	go test ./test/e2e/kube-ovn -c -o test/e2e/kube-ovn/e2e.test
 	go test ./test/e2e/ovn-ic -c -o test/e2e/ovn-ic/e2e.test
 	go test ./test/e2e/lb-svc -c -o test/e2e/lb-svc/e2e.test
+	go test ./test/e2e/security -c -o test/e2e/security/e2e.test
 
 .PHONY: k8s-conformance-e2e
 k8s-conformance-e2e:
@@ -82,3 +83,11 @@ kube-ovn-lb-svc-conformance-e2e:
 	E2E_IP_FAMILY=$(E2E_IP_FAMILY) \
 	E2E_NETWORK_MODE=$(E2E_NETWORK_MODE) \
 	./test/e2e/lb-svc/e2e.test --ginkgo.focus=CNI:Kube-OVN
+
+.PHONY: kube-ovn-security-e2e
+kube-ovn-security-e2e:
+	go test ./test/e2e/kube-ovn -c -o test/e2e/kube-ovn/e2e.test
+	E2E_BRANCH=$(E2E_BRANCH) \
+	E2E_IP_FAMILY=$(E2E_IP_FAMILY) \
+	E2E_NETWORK_MODE=$(E2E_NETWORK_MODE) \
+	./test/e2e/security/e2e.test --ginkgo.focus=CNI:Kube-OVN

dist/images/Dockerfile.base

@@ -40,6 +40,8 @@ RUN dpkg -i /usr/src/python3-openvswitch*.deb /usr/src/libopenvswitch*.deb
 
 RUN cd /usr/src/ && git clone -b branch-22.03 --depth=1 https://github.com/ovn-org/ovn.git && \
     cd ovn && \
+    # fix ssl listen address
+    curl -s https://github.com/kubeovn/ovn/commit/62d4969877712c26fe425698d898b440f91b44bf.patch | git apply && \
     # ovn-controller: Add a generic way to check if the daemon started recently.
     curl -s https://github.com/kubeovn/ovn/commit/367d7ab6239089ce99dda20818c8833c69ffd77f.patch | git apply && \
     # patch.c: Avoid patch interface deletion & recreation during restart.