Add e2e-aws-ovn-ipsec-external-serial CI lane

When IPsec mode are changed across tests within IPsec test suite, it causes reboot of ovnkube-node daemonset pods,
It's expected workload traffic would fail temporarily until pods are settle down after IPsec is properly configured
in every node's OVN and OvS across the cluster. So we should not test ipsec mode change in the ipsec test suite and
instead for every ipsec mode, there should be one CI lane, then in the test corresponding configuration and traffic
must be tested. Hence this PR introduces another CI lane called e2e-aws-ovn-ipsec-external-serial for testing External
mode. The Full mode is already covered with the existing e2e-aws-ovn-ipsec-serial CI lane.

Signed-off-by: Periyasamy Palanisamy <[email protected]>

Author: pperiyasamy

ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml

@@ -122,6 +122,16 @@ tests:
       EXTRA_MG_ARGS: --host-network
     workflow: openshift-e2e-aws-ovn-ipsec-serial
   timeout: 6h0m0s
+- always_run: false
+  as: e2e-aws-ovn-ipsec-external-serial
+  optional: true
+  steps:
+    cluster_profile: aws
+    env:
+      EXTRA_MG_ARGS: --host-network
+      IPSEC_MODE: External
+    workflow: openshift-e2e-aws-ovn-ipsec-serial
+  timeout: 6h0m0s
 - as: e2e-metal-ipi-ovn-ipv6
   cluster: build05
   steps:

ci-operator/config/openshift/origin/openshift-origin-master.yaml

@@ -332,6 +332,16 @@ tests:
       BASE_DOMAIN: aws-2.ci.openshift.org
     workflow: openshift-e2e-aws-ovn-ipsec-serial
   timeout: 6h0m0s
+- always_run: false
+  as: e2e-aws-ovn-ipsec-external-serial
+  optional: true
+  steps:
+    cluster_profile: aws-2
+    env:
+      BASE_DOMAIN: aws-2.ci.openshift.org
+      IPSEC_MODE: External
+    workflow: openshift-e2e-aws-ovn-ipsec-serial
+  timeout: 6h0m0s
 - as: e2e-aws-csi
   optional: true
   skip_if_only_changed: ^(?:docs|\.github)/|\.md$|^(?:\.gitignore|OWNERS|OWNERS_ALIASES|PROJECT|LICENSE)$

ci-operator/jobs/openshift/cluster-network-operator/openshift-cluster-network-operator-master-presubmits.yaml

@@ -425,6 +425,81 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )e2e-aws-ovn-hypershift-conformance,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build03
+    context: ci/prow/e2e-aws-ovn-ipsec-external-serial
+    decorate: true
+    decoration_config:
+      timeout: 6h0m0s
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: aws
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cluster-network-operator-master-e2e-aws-ovn-ipsec-external-serial
+    optional: true
+    rerun_command: /test e2e-aws-ovn-ipsec-external-serial
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=e2e-aws-ovn-ipsec-external-serial
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-aws-ovn-ipsec-external-serial,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

ci-operator/jobs/openshift/origin/openshift-origin-master-presubmits.yaml

@@ -1033,6 +1033,81 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )e2e-aws-ovn-image-registry,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build09
+    context: ci/prow/e2e-aws-ovn-ipsec-external-serial
+    decorate: true
+    decoration_config:
+      timeout: 6h0m0s
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: aws-2
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-origin-master-e2e-aws-ovn-ipsec-external-serial
+    optional: true
+    rerun_command: /test e2e-aws-ovn-ipsec-external-serial
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=e2e-aws-ovn-ipsec-external-serial
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-aws-ovn-ipsec-external-serial,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches:

ci-operator/step-registry/ovn/conf/ipsec-manifest/ovn-conf-ipsec-manifest-commands.sh

@@ -32,7 +32,7 @@ EOF
 
 # adapt to newer ipsec config for ocp versions >= 4.15
 if (( ocp_minor_version >= 15 && ocp_major_version == 4 )); then
-    /tmp/yq e '.spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig.mode = "Full"' -i ${SHARED_DIR}/manifest_cluster-network-03-config.yml
+    /tmp/yq e '.spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig.mode = env(IPSEC_MODE)' -i ${SHARED_DIR}/manifest_cluster-network-03-config.yml
 fi
 
 cat ${SHARED_DIR}/manifest_cluster-network-03-config.yml

ci-operator/step-registry/ovn/conf/ipsec-manifest/ovn-conf-ipsec-manifest-ref.yaml

@@ -4,6 +4,11 @@ ref:
     name: cli-yq
     namespace: ocp
     tag: latest
+  env:
+  - name: IPSEC_MODE
+    default: "Full"
+    documentation: |-
+      Defines the behaviour of the ipsec configuration within the platform.
   commands: ovn-conf-ipsec-manifest-commands.sh
   resources:
     requests: