Merge pull request #11667 from VannTen/ci-fix/kubelet_csr

Remove `shell` module usage from CI testcases
pull/11689/head
Kubernetes Prow Robot 2024-11-05 08:41:29 +00:00 committed by GitHub
commit 25ca0acf73
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 31 additions and 72 deletions

View File

@ -20,29 +20,29 @@
when: when:
- kubelet_rotate_server_certificates | default(false) - kubelet_rotate_server_certificates | default(false)
- kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false)) - kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
vars:
csrs: "{{ csr_json.stdout | from_json }}"
block: block:
- name: Get certificate signing requests - name: Get certificate signing requests
command: "{{ bin_dir }}/kubectl get csr" command: "{{ bin_dir }}/kubectl get csr -o jsonpath-as-json={.items[*]}"
register: get_csr register: csr_json
changed_when: false changed_when: false
- debug: # noqa name[missing] - debug: # noqa name[missing]
msg: "{{ get_csr.stdout.split('\n') }}" var: csrs
- name: Check there are csrs - name: Check there are csrs
assert: assert:
that: get_csr.stdout_lines | length > 0 that: csrs | length > 0
fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
- name: Get Denied/Pending certificate signing requests
shell: "set -o pipefail && {{ bin_dir }}/kubectl get csr | grep -e Denied -e Pending || true"
register: get_csr_denied_pending
changed_when: false
- name: Check there are Denied/Pending csrs - name: Check there are Denied/Pending csrs
assert: assert:
that: get_csr_denied_pending.stdout_lines | length == 0 that:
- csrs | rejectattr('status') | length == 0 # Pending == no status
- csrs | map(attribute='status.conditions') | flatten | selectattr('type', 'equalto', 'Denied') | length == 0 # Denied
fail_msg: kubelet_csr_approver is enabled but CSRs are not approved fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
- name: Approve kubelet serving certificates - name: Approve kubelet serving certificates
@ -75,21 +75,10 @@
command: "{{ bin_dir }}/kubectl create namespace test" command: "{{ bin_dir }}/kubectl create namespace test"
changed_when: false changed_when: false
- name: Wait for API token of test namespace
shell: "set -o pipefail && {{ bin_dir }}/kubectl describe serviceaccounts default --namespace test | grep Tokens | awk '{print $2}'"
args:
executable: /bin/bash
changed_when: false
register: default_token
until: default_token.stdout | length > 0
retries: 5
delay: 5
- name: Run 2 agnhost pods in test ns - name: Run 2 agnhost pods in test ns
shell: command:
cmd: | cmd: "{{ bin_dir }}/kubectl apply -f -"
set -o pipefail stdin: |
cat <<EOF | {{ bin_dir }}/kubectl apply -f -
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
@ -108,8 +97,6 @@
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
EOF
executable: /bin/bash
changed_when: false changed_when: false
loop: loop:
- agnhost1 - agnhost1

View File

@ -3,13 +3,16 @@
hosts: kube_node hosts: kube_node
tasks: tasks:
- name: Test tunl0 routes - name: Test tunl0 routes
shell: "set -o pipefail && ! /sbin/ip ro | grep '/{{ calico_pool_blocksize }} | default(26) via' | grep -v tunl0" command: "/sbin/ip route"
args: register: routes
executable: /bin/bash failed_when: routes.stdout_lines
| select('contains', '/' ~ calico_pool_blocksize|d(26))
| select('contains', 'tunl0') | length == 0
when: when:
- (calico_ipip_mode is defined and calico_ipip_mode != 'Never' or cloud_provider is defined) - (calico_ipip_mode is defined and calico_ipip_mode != 'Never' or cloud_provider is defined)
- kube_network_plugin | default('calico') == 'calico' - kube_network_plugin | default('calico') == 'calico'
- name: Advanced testcases for network - name: Advanced testcases for network
hosts: k8s_cluster hosts: k8s_cluster
vars: vars:
@ -32,26 +35,16 @@
name: cluster-dump name: cluster-dump
- name: Wait for netchecker server - name: Wait for netchecker server
shell: "set -o pipefail && {{ bin_dir }}/kubectl get pods -o wide --namespace {{ netcheck_namespace }} | grep ^netchecker-server" command: "{{ bin_dir }}/kubectl get pods --field-selector=status.phase==Running -o jsonpath-as-json={.items[*].metadata.name} --namespace {{ netcheck_namespace }}"
args: register: pods_json
executable: /bin/bash until:
register: ncs_pod - pods_json.stdout | from_json | select('match', 'netchecker-server.*') | length == 1
until: ncs_pod.stdout.find('Running') != -1 - (pods_json.stdout | from_json | select('match', 'netchecker-agent.*') | length)
>= (groups['k8s_cluster'] | intersect(ansible_play_hosts) | length * 2)
retries: 3 retries: 3
delay: 10 delay: 10
when: inventory_hostname == groups['kube_control_plane'][0] when: inventory_hostname == groups['kube_control_plane'][0]
- name: Wait for netchecker agents
shell: "set -o pipefail && {{ bin_dir }}/kubectl get pods -o wide --namespace {{ netcheck_namespace }} | grep '^netchecker-agent-.*Running'"
args:
executable: /bin/bash
register: nca_pod
until: nca_pod.stdout_lines | length >= groups['k8s_cluster'] | intersect(ansible_play_hosts) | length * 2
retries: 3
delay: 10
failed_when: false
when: inventory_hostname == groups['kube_control_plane'][0]
- name: Get netchecker pods - name: Get netchecker pods
command: "{{ bin_dir }}/kubectl -n {{ netcheck_namespace }} describe pod -l app={{ item }}" command: "{{ bin_dir }}/kubectl -n {{ netcheck_namespace }} describe pod -l app={{ item }}"
run_once: true run_once: true
@ -60,7 +53,7 @@
with_items: with_items:
- netchecker-agent - netchecker-agent
- netchecker-agent-hostnet - netchecker-agent-hostnet
when: not nca_pod is success when: not pods_json is success
- debug: # noqa name[missing] - debug: # noqa name[missing]
var: nca_pod.stdout_lines var: nca_pod.stdout_lines
@ -99,7 +92,7 @@
- agents.content != '{}' - agents.content != '{}'
- debug: # noqa name[missing] - debug: # noqa name[missing]
var: ncs_pod var: pods_json
run_once: true run_once: true
- name: Get kube-proxy logs - name: Get kube-proxy logs
@ -169,14 +162,9 @@
run_once: true run_once: true
- name: Create macvlan network conf - name: Create macvlan network conf
# We cannot use only shell: below because Ansible will render the text command:
# with leading spaces, which means the shell will never find the string cmd: "{{ bin_dir }}/kubectl create -f -"
# EOF at the beginning of a line. We can avoid Ansible's unhelpful stdin: |
# heuristics by using the cmd parameter like this:
shell:
cmd: |
set -o pipefail
cat <<EOF | {{ bin_dir }}/kubectl create -f -
apiVersion: "k8s.cni.cncf.io/v1" apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition kind: NetworkAttachmentDefinition
metadata: metadata:
@ -198,21 +186,7 @@
"gateway": "192.168.1.1" "gateway": "192.168.1.1"
} }
}' }'
EOF ---
executable: /bin/bash
when:
- inventory_hostname == groups['kube_control_plane'][0]
- kube_network_plugin_multus | default(false) | bool
- name: Annotate pod with macvlan network
# We cannot use only shell: below because Ansible will render the text
# with leading spaces, which means the shell will never find the string
# EOF at the beginning of a line. We can avoid Ansible's unhelpful
# heuristics by using the cmd parameter like this:
shell:
cmd: |
set -o pipefail
cat <<EOF | {{ bin_dir }}/kubectl create -f -
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
@ -224,8 +198,6 @@
- name: samplepod - name: samplepod
command: ["/bin/bash", "-c", "sleep 2000000000000"] command: ["/bin/bash", "-c", "sleep 2000000000000"]
image: dougbtv/centos-network image: dougbtv/centos-network
EOF
executable: /bin/bash
when: when:
- inventory_hostname == groups['kube_control_plane'][0] - inventory_hostname == groups['kube_control_plane'][0]
- kube_network_plugin_multus | default(false) | bool - kube_network_plugin_multus | default(false) | bool