Skip to content

chore: 1.18 kubernetes-ci use self-hosted #390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AlinsRan merged 10 commits into from
Mar 5, 2026
Merged

chore: 1.18 kubernetes-ci use self-hosted #390

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
6289455
chore: 1.18 kubernetes-ci use self-hosted
AlinsRan Mar 5, 2026
1759820
fix
AlinsRan Mar 5, 2026
4f134bd
fix
AlinsRan Mar 5, 2026
32f903b
f
AlinsRan Mar 5, 2026
9f97499
f
AlinsRan Mar 5, 2026
f0516ad
f
AlinsRan Mar 5, 2026
ed4d2b5
f
AlinsRan Mar 5, 2026
f84722b
Update test/e2e/crds/v2/tls.go
AlinsRan Mar 5, 2026
8420942
Update test/e2e/crds/v2/tls.go
AlinsRan Mar 5, 2026
5155e4b
update ci
AlinsRan Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/apisix-conformance-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,6 @@ jobs:
- name: Get Logs from apisix-ingress-controller
shell: bash
run: |
export KUBECONFIG=/tmp/apisix-ingress-cluster.kubeconfig
kubectl logs -n apisix-conformance-test -l app=apisix-ingress-controller

- name: Upload Gateway API Conformance Report
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/conformance-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,6 @@ jobs:
- name: Get Logs from api7-ingress-controller
shell: bash
run: |
export KUBECONFIG=/tmp/apisix-ingress-cluster.kubeconfig
kubectl logs -n apisix-conformance-test -l app=apisix-ingress-controller

- name: Upload Gateway API Conformance Report
Expand Down
31 changes: 14 additions & 17 deletions .github/workflows/e2e-test-k8s.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,35 +34,27 @@ jobs:
matrix:
cases_subset:
- v2
runs-on: buildjet-2vcpu-ubuntu-2004
runs-on: self-hosted
Comment thread
coderabbitai[bot] marked this conversation as resolved.
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
submodules: recursive

- name: Setup Go Env
uses: actions/setup-go@v4
with:
go-version: "1.24"
- name: Check Go Env
run: |
go env

- name: Install kind
- name: Check Kind Version
run: |
go install sigs.k8s.io/kind@v0.13.0
kind version

- name: Install Helm
run: |
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

- name: Login to Registry
uses: docker/login-action@v3
with:
registry: ${{ secrets.DOCKER_REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Login to Private Registry
uses: docker/login-action@v3
with:
Expand All @@ -72,9 +64,15 @@ jobs:

- name: Launch Kind Cluster
env:
KIND_NODE_IMAGE: kindest/node:v1.18.20@sha256:38a8726ece5d7867fb0ede63d718d27ce2d41af519ce68be5ae7fcca563537ed
KIND_NODE_IMAGE: kindest/node:v1.18.15

@coderabbitai coderabbitai Bot Mar 5, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd "$(git rev-parse --show-toplevel)" && head -80 .github/workflows/e2e-test-k8s.yml | tail -20

Repository: api7/api7-ingress-controller

Length of output: 817

🌐 Web query:

official sha256 digest kindest/node v1.18.15

💡 Result:

kindest/node:v1.18.15 digest (use with @sha256:):

kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4 [1] [2] [3]

Sources: [1] [2] [3]

🏁 Script executed:

grep -n "image:" .github/workflows/e2e-test-k8s.yml | grep -v "@sha256"

Repository: api7/api7-ingress-controller

Length of output: 54

🏁 Script executed:

grep -n "kindest/node\|docker pull\|_IMAGE:" .github/workflows/e2e-test-k8s.yml

Repository: api7/api7-ingress-controller

Length of output: 123

Pin KIND node image by digest.

Line 67 uses a mutable tag (kindest/node:v1.18.15) without digest pinning, which weakens reproducibility and supply-chain integrity. Update to:

          KIND_NODE_IMAGE: kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-test-k8s.yml at line 67, Replace the mutable
KIND_NODE_IMAGE tag with an immutable digest-pinned reference: locate the
KIND_NODE_IMAGE environment variable assignment (the line containing
KIND_NODE_IMAGE: kindest/node:v1.18.15) and update its value to the
corresponding image@sha256 digest (e.g.,
kindest/node:v1.18.15@sha256:5c1b980c4d0e0e8e7eb9f36f7df525d079a96169c8a8f20d8bd108c0d0889cc4)
so the workflow uses a pinned image for reproducible builds.

run: |
make kind-up
KIND_NODE_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' apisix-ingress-cluster-control-plane)
echo $KIND_NODE_IP

kubectl config get-clusters
kubectl config set-cluster kind-apisix-ingress-cluster --server=https://$KIND_NODE_IP:6443
kubectl wait --for=condition=Ready nodes --all
Comment thread
AlinsRan marked this conversation as resolved.

- name: Build images
env:
Expand Down Expand Up @@ -107,7 +105,6 @@ jobs:
node $(pwd)/adc.js -v
echo "ADC_BIN=node $(pwd)/adc.js" >> $GITHUB_ENV


- name: Start OpenLDAP server
run: make e2e-ldap

Expand Down
7 changes: 1 addition & 6 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,6 @@ CRD_DOCS_TEMPLATE ?= docs/assets/template

INGRESS_VERSION ?= v1

export KUBECONFIG = /tmp/$(KIND_NAME).kubeconfig

# go
VERSYM="github.com/apache/apisix-ingress-controller/internal/version._buildVersion"
GITSHASYM="github.com/apache/apisix-ingress-controller/internal/version._buildGitRevision"
Expand Down Expand Up @@ -143,7 +141,6 @@ kind-e2e-test: kind-up build-image kind-load-images e2e-test
# Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors.
.PHONY: e2e-test
e2e-test: adc
@kind get kubeconfig --name $(KIND_NAME) > $$KUBECONFIG
DASHBOARD_VERSION=$(DASHBOARD_VERSION) go test $(TEST_DIR) -test.timeout=$(TEST_TIMEOUT) -v -ginkgo.v -ginkgo.focus="$(TEST_FOCUS)" -ginkgo.label-filter="$(TEST_LABEL)"

.PHONY: download-api7ee3-chart
Expand Down Expand Up @@ -189,8 +186,6 @@ kind-up:
@kind get clusters 2>&1 | grep -v $(KIND_NAME) \
&& kind create cluster --name $(KIND_NAME) --image $(KIND_NODE_IMAGE) \
|| echo "kind cluster already exists"
@kind get kubeconfig --name $(KIND_NAME) > $$KUBECONFIG
kubectl wait --for=condition=Ready nodes --all

.PHONY: kind-down
kind-down:
Expand Down Expand Up @@ -277,7 +272,7 @@ run: manifests generate fmt vet ## Run a controller from your host.
# More info: https://docs.docker.com/develop/develop-images/build_enhancements/
.PHONY: docker-build
docker-build: set-e2e-goos build ## Build docker image with the manager.
$(CONTAINER_TOOL) build -t ${IMG} -f Dockerfile .
$(CONTAINER_TOOL) build --build-arg TARGETARCH=${GOARCH} -t ${IMG} -f Dockerfile .

.PHONY: docker-push
docker-push: ## Push docker image with the manager.
Expand Down
3 changes: 2 additions & 1 deletion test/e2e/crds/v2/route.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1370,6 +1370,7 @@ spec:
containers:
- name: websocket-server
image: jmalloc/echo-server:latest
imagePullPolicy: IfNotPresent
ports:
Comment thread
AlinsRan marked this conversation as resolved.
- containerPort: 8080
---
Expand Down Expand Up @@ -1430,6 +1431,7 @@ spec:
By("create WebSocket server resources")
err := s.CreateResourceFromStringWithNamespace(websocketServerResources, s.Namespace())
Expect(err).ShouldNot(HaveOccurred(), "creating WebSocket server resources")
s.EnsureNumEndpointsReady(GinkgoT(), "websocket-server-service", 1)

By("create ApisixRoute without WebSocker")
var apisixRouteWithoutWS apiv2.ApisixRoute
Expand All @@ -1438,7 +1440,6 @@ spec:
&apisixRouteWithoutWS,
fmt.Sprintf(apisixRouteSpec2, s.Namespace(), s.Namespace()),
)
time.Sleep(12 * time.Second)

By("verify WebSocket connection fails without WebSocket enabled")
u := url.URL{
Expand Down
7 changes: 6 additions & 1 deletion test/e2e/crds/v2/tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,12 @@ spec:
assert.NotNil(GinkgoT(), tls[0].Client, "client configuration should not be nil")
assert.NotEmpty(GinkgoT(), tls[0].Client.CA, "client CA should not be empty")
assert.Equal(GinkgoT(), normalizePEM(caCert), normalizePEM(tls[0].Client.CA), "client CA should be test-ca-secret")
assert.Equal(GinkgoT(), int64(1), *tls[0].Client.Depth, "client depth should be 1")
depth := int64(1)
if s.Deployer.Name() == framework.ProviderTypeAPI7EE {
depth = int64(10) // API7EE control plane currently defaults to depth 10 for mTLS
}
assert.NotNil(GinkgoT(), tls[0].Client.Depth, "client depth should be set")
assert.Equal(GinkgoT(), depth, *tls[0].Client.Depth, fmt.Sprintf("client depth should be %d", depth))
})
It("ApisixTls with skip_mtls_uri_regex test", func() {
// TODO: Add support for skip_mtls_uri_regex in API7EE control plane
Expand Down
2 changes: 2 additions & 0 deletions test/e2e/framework/api7_dashboard.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,8 @@ prometheus:
server:
persistence:
enabled: false
jaeger:
builtin: false
postgresql:
{{- if ne .DB "postgres" }}
builtin: false
Expand Down
Loading