Run K8s e2e network policy tests

This commit adds a new gate to run Kubernetes
network policy tests with OVN-Octavia provider.

Depends-On: https://review.opendev.org/#/c/740381/
Depends-On: https://review.opendev.org/#/c/738457/
Change-Id: I766bff754a4632b2833fbe12fc95c5e7c0fead4e

.zuul.d/base.yaml

@@ -86,3 +86,68 @@
       - ^doc/.*$
       - ^releasenotes/.*$
       - ^contrib/.*$
+
+- job:
+    name: kuryr-kubernetes-k8s-base
+    parent: devstack
+    description: Base kuryr-kubernetes-job without tempest
+    required-projects:
+      - openstack/devstack-plugin-container
+      - openstack/kuryr-kubernetes
+    post-run: playbooks/copy-k8s-logs.yaml
+    host-vars:
+      controller:
+        devstack_plugins:
+          kuryr-kubernetes: https://opendev.org/openstack/kuryr-kubernetes
+          devstack-plugin-container: https://opendev.org/openstack/devstack-plugin-container
+    vars:
+      devstack_localrc:
+        KURYR_K8S_API_PORT: 8080
+        Q_BUILD_OVS_FROM_GIT: true
+        KURYR_K8S_CLOUD_PROVIDER: false
+        ETCD_USE_RAMDISK: true
+      devstack_services:
+        # TODO(dmellado):Temporary workaround until proper fix
+        base: false
+        s-account: false
+        s-container: false
+        s-object: false
+        s-proxy: false
+        c-api: false
+        c-bak: false
+        c-sch: false
+        c-vol: false
+        cinder: false
+        neutron: true
+        q-agt: true
+        q-dhcp: true
+        q-l3: true
+        q-svc: true
+        q-meta: true
+        key: true
+        mysql: true
+        rabbit: true
+        n-api: true
+        n-api-meta: true
+        n-cpu: true
+        n-cond: true
+        n-sch: true
+        placement-api: true
+        placement-client: true
+        g-api: true
+        g-reg: true
+        etcd3: true
+        kubernetes-api: true
+        kubernetes-controller-manager: true
+        kubernetes-scheduler: true
+        kubelet: true
+        kuryr-kubernetes: true
+        kuryr-daemon: true
+        coredns: true
+      zuul_copy_output:
+        '{{ devstack_log_dir }}/kubernetes': 'logs'
+    irrelevant-files:
+      - ^.*\.rst$
+      - ^doc/.*$
+      - ^releasenotes/.*$
+      - ^contrib/.*$

.zuul.d/project.yaml

@@ -24,6 +24,8 @@
         - kuryr-kubernetes-tempest-multinode-containerized
         - kuryr-kubernetes-tempest-containerized-ipv6
         - kuryr-kubernetes-tempest-containerized-ovn-ipv6
+        - kuryr-kubernetes-tempest-containerized-ovn-provider-ovn
+        - kuryr-kubernetes-e2e-np-containerized-ovn-provider-ovn
     gate:
       jobs:
         - kuryr-kubernetes-tempest
@@ -38,7 +40,6 @@
         - kuryr-kubernetes-tempest-containerized-openshift-serial
         - kuryr-kubernetes-tempest-ovn
         - kuryr-kubernetes-tempest-openshift
-        - kuryr-kubernetes-tempest-containerized-ovn-provider-ovn
         - kuryr-kubernetes-tempest-openshift-multi-vif
         - kuryr-kubernetes-tempest-multinode-ha
         - kuryr-kubernetes-tempest-containerized-crio

.zuul.d/sdn.yaml

@@ -99,3 +99,82 @@
         KURYR_SUBNET_DRIVER: namespace
         KURYR_SG_DRIVER: policy
         KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace,pod_label,policy,kuryrnetpolicy,kuryrnetwork
+    voting: false
+
+- job:
+    name: kuryr-kubernetes-e2e-np-containerized-ovn-provider-ovn
+    parent: kuryr-kubernetes-k8s-base
+    description: |
+        Kuryr-Kubernetes job with OVN and Octavia provider OVN running k8s network policy e2e tests
+    required-projects:
+      - openstack/neutron
+      - openstack/barbican
+      - openstack/octavia
+      - openstack/python-barbicanclient
+      - openstack/python-octaviaclient
+      - openstack/ovn-octavia-provider
+    pre-run: playbooks/get_amphora_tarball.yaml
+    post-run: playbooks/run_k8s_e2e_tests.yaml
+    post-timeout: 7200
+    host-vars:
+      controller:
+        devstack_plugins:
+          neutron: https://opendev.org/openstack/neutron
+          octavia: https://opendev.org/openstack/octavia
+          barbican: https://opendev.org/openstack/barbican
+          ovn-octavia-provider: https://opendev.org/openstack/ovn-octavia-provider
+    vars:
+      devstack_localrc:
+        OCTAVIA_AMP_IMAGE_FILE: "/tmp/test-only-amphora-x64-haproxy-ubuntu-bionic.qcow2"
+        OCTAVIA_AMP_IMAGE_SIZE: 3
+        OCTAVIA_AMP_IMAGE_NAME: "test-only-amphora-x64-haproxy-ubuntu-bionic"
+        Q_AGENT: ovn
+        Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
+        Q_ML2_PLUGIN_TYPE_DRIVERS: local,flat,vlan,geneve
+        Q_ML2_TENANT_NETWORK_TYPE: geneve
+        VAR_RUN_PATH: /usr/local/var/run
+        Q_USE_PROVIDERNET_FOR_PUBLIC: true
+        PHYSICAL_NETWORK: public
+        OVN_L3_CREATE_PUBLIC_NETWORK: true
+        ENABLE_CHASSIS_AS_GW: true
+        OVN_BRANCH: branch-20.03
+        KURYR_NEUTRON_DEFAULT_ROUTER: kuryr-router
+        KURYR_EP_DRIVER_OCTAVIA_PROVIDER: ovn
+        KURYR_K8S_OCTAVIA_MEMBER_MODE: L2
+        KURYR_ENFORCE_SG_RULES: false
+        KURYR_LB_ALGORITHM: SOURCE_IP_PORT
+        KURYR_HYPERKUBE_VERSION: v1.16.0
+        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace,pod_label,policy,kuryrnetpolicy,kuryrnetwork
+        KURYR_SG_DRIVER: policy
+        KURYR_SUBNET_DRIVER: namespace
+        KURYR_K8S_CONTAINERIZED_DEPLOYMENT: true
+      devstack_services:
+        octavia: true
+        o-api: true
+        o-cw: true
+        o-hk: true
+        o-hm: true
+        o-da: true
+        ovn-northd: true
+        ovn-controller: true
+        q-ovn-metadata-agent: true
+        q-svc: true
+        q-agt: false
+        q-l3: false
+        q-dhcp: false
+        q-meta: false
+        q-trunk: true
+      devstack_local_conf:
+        post-config:
+          $OCTAVIA_CONF:
+            controller_worker:
+              amp_active_retries: 9999
+            api_settings:
+              enabled_provider_drivers: amphora:'Octavia Amphora driver',ovn:'Octavia OVN driver'
+      kubetest_version: v1.17.3
+      np_parallel_number: 2
+      gopkg: go1.13.5.linux-amd64.tar.gz
+      np_sleep: 30
+      zuul_copy_output:
+        '/home/zuul/np_kubetest.log': 'logs'
+    voting: false

playbooks/run_k8s_e2e_tests.yaml

@@ -0,0 +1,93 @@
+- hosts: all
+  tasks:
+    # NOTE(maysams): Revisit this package removal step
+    # once other operating systems are supported on the gates
+    - name: Remove old installation of Go
+      shell: |
+        apt remove -y --purge golang
+        apt autoremove -y
+      become: yes
+      ignore_errors: yes
+
+    - name: Download GO {{ gopkg }}
+      get_url:
+        url: https://dl.google.com/go/{{ gopkg }}
+        dest: /tmp/{{ gopkg }}
+        force: yes
+
+    - name: Unarchive GO
+      unarchive:
+        src: /tmp/{{ gopkg }}
+        dest: /usr/local
+        remote_src: yes
+      become: true
+
+    - name: Clone K8s test-infra repository
+      git:
+        repo: https://github.com/kubernetes/test-infra
+        dest: ~/test-infra
+        force: yes
+
+    - name: Install kubetest
+      shell: go install ./kubetest
+      args:
+        chdir: ~/test-infra
+      environment:
+        GO111MODULE: "on"
+        PATH: "{{ ansible_env.PATH }}:/usr/local/go/bin:{{ ansible_env.HOME }}/go/bin"
+
+    - name: Clone kubernetes repository
+      git:
+        repo: https://github.com/kubernetes/kubernetes.git
+        version: "{{ kubetest_version }}"
+        dest: ~/kubernetes
+        force: yes
+
+    - name: Patch e2e tests
+      shell: |
+        sed -i 's/podStartTimeout = .*/podStartTimeout = 2 * time.Minute/' test/e2e/framework/pod/wait.go
+        sed -i 's/for i in $(seq 1 5)/sleep {{ np_sleep }};for i in $(seq 1 200)/' test/e2e/network/network_policy.go
+      args:
+        chdir: ~/kubernetes
+
+    - name: Build e2e tests
+      block:
+        - name: Install make package
+          become: true
+          package:
+            name: "make"
+            state: present
+        - name: Build e2e tests
+          shell: |
+            make WHAT=cmd/kubectl
+            make WHAT=vendor/github.com/onsi/ginkgo/ginkgo
+            make WHAT=test/e2e/e2e.test
+          args:
+            chdir: ~/kubernetes
+          environment:
+            PATH: "{{ ansible_env.PATH }}:/usr/local/go/bin:{{ ansible_env.HOME }}/go/bin"
+
+    - name: Create .kube folder within BASE
+      file:
+        path: "{{ ansible_env.HOME }}/.kube"
+        state: directory
+      become: yes
+
+    - name: Copy kubeconfig file
+      shell: "cp /opt/stack/.kube/config  {{ ansible_env.HOME }}/.kube/"
+      become: yes
+
+    - name: Change kubeconfig file permission
+      file:
+        path: "{{ ansible_env.HOME }}/.kube/config"
+        owner: zuul
+        group: zuul
+      become: yes
+
+    - name: Run Network Policy tests
+      shell: kubetest --provider=local --check-version-skew=false --test --ginkgo-parallel={{ np_parallel_number }} --test_args="--ginkgo.focus=\[Feature:NetworkPolicy --ginkgo.skip=should.enforce.policies.to.check.ingress.and.egress.policies.can.be.controlled.independently.based.on.PodSelector --host=http://127.0.0.1:8080" --dump=/tmp > ~/np_kubetest.log
+      args:
+        chdir: ~/kubernetes
+      environment:
+        KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config"
+        PATH: "{{ ansible_env.PATH }}:/usr/local/go/bin:{{ ansible_env.HOME }}/go/bin"

tools/gate/copy_k8s_logs.sh

@@ -36,6 +36,7 @@ sudo chown ${USER}:${USER} ${HOME}/.kube/config
 /usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get kuryrnets -o yaml --all-namespaces >> ${K8S_LOG_DIR}/kuryrnets_crds.txt
 /usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get kuryrnetworks -o yaml --all-namespaces >> ${K8S_LOG_DIR}/kuryrnetworks_crds.txt
 /usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get endpoints -o yaml --all-namespaces >> ${K8S_LOG_DIR}/endpoints.txt
+/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get kuryrnetpolicy -o yaml --all-namespaces >> ${K8S_LOG_DIR}/kuryrnetpolicy_crds.txt
 # Kubernetes pods logs
 mkdir -p ${K8S_LOG_DIR}/pod_logs
 while read -r line