Add job to run e2e test with traffic encrytion mode

as WireGuard

Signed-off-by: Pulkit Jain <[email protected]>

Author: jainpulkit22

ci/jenkins/jobs/macros.yaml

@@ -300,3 +300,27 @@
            #!/bin/bash
            set -e
            ./ci/jenkins/stop-stale-jobs.sh --pull-request "${ghprbPullId}" --jenkins "${JENKINS_URL}"
+
+- builder:
+    name: builder-e2e-kind-wireGuard
+    builders:
+      - shell: |-
+          #!/bin/bash
+          set -ex
+          DOCKER_REGISTRY="$(head -n1 ci/docker-registry)"
+          [ "$DOCKER_REGISTRY" != "docker.io" ] || ./ci/jenkins/docker_login.sh --docker-user ${{DOCKER_USERNAME}} --docker-password ${{DOCKER_PASSWORD}}
+          KIND_TIMEOUT=135
+          FULL_CLUSTER_NAME='{kind_cluster_name}'-"${{BUILD_NUMBER}}"
+          #  Delete all Kind clusters created more than 135 mins ago. 135 minutes is the timeout 
+          #  we have configured for running conformance, NetworkPolicy and e2e tests on Kind, 
+          #  so clusters older than that can de deleted safely.
+          ./ci/kind/kind-setup.sh destroy --all --until ${{KIND_TIMEOUT}}
+          ./ci/kind/kind-install.sh 
+          ./ci/kind/kind-setup.sh --antrea-cni create "${{FULL_CLUSTER_NAME}}"
+          kind export kubeconfig -n "${{FULL_CLUSTER_NAME}}" --kubeconfig ${{PWD}}/.kube/config
+          set +e
+          ./ci/jenkins/test.sh --testcase e2e --traffic-mode "wireGuard" --registry ${{DOCKER_REGISTRY}} --kubeconfig ${{PWD}}/.kube/config --testbed-type "kind" --kind-cluster-name "${{FULL_CLUSTER_NAME}}" --build-tag "e2e-${{BUILD_NUMBER}}"
+          return_code=$?
+          set -ex
+          ./ci/kind/kind-setup.sh destroy "${{FULL_CLUSTER_NAME}}"
+          exit $return_code

ci/jenkins/jobs/projects-cloud.yaml

@@ -1717,3 +1717,48 @@
                 key-file-variable: AWS_EC2_SSH_KEY
                 username-variable: AWS_EC2_SSH_USER_NAME
                 passphrase-variable: AWS_EC2_SSH_PASSPHRASE
+      - '{name}-{test_name}-for-pull-request':
+          test_name: kind-e2e-wireguard
+          node: 'antrea-kind-testbed'
+          description: 'This is for running e2e tests on kind.'
+          branches:
+          - ${{sha1}}
+          builders:
+            - builder-e2e-kind-wireGuard:
+               kind_cluster_name: '{test_name}'
+          trigger_phrase: ^(?!Thanks for your PR).*/test-(kind-e2e-wireguard|kind-all|all).*
+          white_list_target_branches: []
+          allow_whitelist_orgs_as_admins: true
+          admin_list: '{antrea_admin_list}'
+          org_list: '{antrea_org_list}'
+          white_list: '{antrea_white_list}'
+          only_trigger_phrase: true
+          trigger_permit_all: true
+          throttle_concurrent_builds_enabled: 'true'
+          status_context: jenkins-kind-e2e-wireguard
+          status_url: null
+          success_status: Build finished.
+          failure_status: Failed. Add comment /test-kind-e2e-wireguard to re-trigger.
+          error_status: Failed. Add comment /test-kind-e2e-wireguard to re-trigger.
+          triggered_status: null
+          started_status: null
+          wrappers:
+          - credentials-binding:
+            - text:
+                credential-id: DOCKER_USERNAME
+                variable: DOCKER_USERNAME
+            - text:
+                credential-id: DOCKER_PASSWORD
+                variable: DOCKER_PASSWORD
+          - timeout:
+              fail: true
+              timeout: 135
+              type: absolute
+          publishers:
+          - archive:
+              allow-empty: true
+              artifacts: antrea-test-logs.tar.gz
+              case-sensitive: true
+              default-excludes: true
+              fingerprint: false
+              only-if-success: false

ci/jenkins/test.sh

@@ -56,6 +56,7 @@ CLEAN_STALE_IMAGES_CONTAINERD="crictl rmi --prune"
 PRINT_DOCKER_STATUS="docker system df -v"
 PRINT_CONTAINERD_STATUS="crictl ps --state Exited"
 BUILD_TAG="latest"
+TRAFFIC_MODE=""
 MANIFEST_ARGS=""
 
 _usage="Usage: $0 [--kubeconfig <KubeconfigSavePath>] [--workdir <HomePath>]
@@ -74,7 +75,8 @@ Run K8s e2e community tests (Conformance & Network Policy) or Antrea e2e tests o
         --proxyall               Enable proxyAll to test AntreaProxy.
         --build-tag              Custom build tag for images.
         --docker-user            Username for Docker account.
-        --docker-password        Password for Docker account."
+        --docker-password        Password for Docker account.
+        --traffic-mode           Traffic Encryption mode."
 
 function print_usage {
     echoerr "$_usage"
@@ -137,6 +139,10 @@ case $key in
     DOCKER_PASSWORD="$2"
     shift 2
     ;;
+    --traffic-mode)
+    TRAFFIC_MODE="$2"
+    shift 2
+    ;;
     -h|--help)
     print_usage
     exit 0
@@ -537,6 +543,11 @@ function deliver_antrea {
     fi
     chmod -R g-w build/images/ovs
     chmod -R g-w build/images/base
+
+    if [[ "$TRAFFIC_MODE" == "wireGuard" ]]; then
+        MANIFEST_ARGS="$MANIFEST_ARGS --wireGuard"
+    fi
+
     if [[ "$BUILD_TAG" != "latest" ]]; then
         DOCKER_REGISTRY="${DOCKER_REGISTRY}" ./hack/build-antrea-linux-all.sh --build-tag ${BUILD_TAG} --pull
         IMG_TAG="${BUILD_TAG}" ./hack/generate-manifest.sh $MANIFEST_ARGS > build/yamls/antrea.yml

hack/generate-manifest.sh

@@ -26,6 +26,7 @@ Generate a YAML manifest for Antrea using Helm and print it to stdout.
         --encap-mode (mode)           Traffic encapsulation mode (default is 'encap').
         --cloud                       Generate a manifest appropriate for running Antrea in Public Cloud.
         --ipsec                       Generate a manifest with IPsec encryption of tunnel traffic enabled.
+        --wireGuard                   Generate a manifest with WireGuard encryption of tunnel traffic enabled.
         --feature-gates               A comma-separated list of key=value pairs that describe feature gates, e.g. TrafficControl=true,Egress=false.
                                       This option can be specified multiple times.
         --proxy-all                   Generate a manifest with Antrea proxy with all Service support enabled.
@@ -89,6 +90,7 @@ MULTICAST_INTERFACES=""
 HELM_VALUES_FILES=()
 HELM_VALUES=()
 FEATURE_GATES=()
+WIREGUARD=false
 
 while [[ $# -gt 0 ]]
 do
@@ -114,6 +116,10 @@ case $key in
     IPSEC=true
     shift
     ;;
+    --wireGuard)
+    WIREGUARD=true
+    shift
+    ;;
     --feature-gates)
     FEATURE_GATES+=("$2")
     shift 2
@@ -250,6 +256,11 @@ if [[ "$ENCAP_MODE" != "" ]] && [[ "$ENCAP_MODE" != "encap" ]] && $IPSEC; then
     exit 1
 fi
 
+if [[ "$ENCAP_MODE" != "" ]] && [[ "$ENCAP_MODE" != "encap" ]] && $WIREGUARD; then
+    echoerr "Encap mode '$ENCAP_MODE' does not make sense with wireGuard"
+    exit 1
+fi
+
 THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 
 source $THIS_DIR/verify-helm.sh
@@ -268,6 +279,10 @@ if $IPSEC; then
     HELM_VALUES+=("trafficEncryptionMode=ipsec" "tunnelType=gre")
 fi
 
+if $WIREGUARD; then
+    HELM_VALUES+=("trafficEncryptionMode=wireGuard")
+fi
+
 if $FLEXIBLE_IPAM; then
     HELM_VALUES+=("featureGates.AntreaIPAM=true" "enableBridgingMode=true" "trafficEncapMode=noEncap" "noSNAT=true")
 fi