From bdf9eccfbba9378ed495e49e37bc4c69bc722273 Mon Sep 17 00:00:00 2001
From: Tomas Repel <trepel@redhat.com>
Date: Fri, 15 Nov 2024 14:24:34 +0100
Subject: [PATCH] Added apikey Auth and v1 updates to scale test policies

Signed-off-by: Tomas Repel <trepel@redhat.com>
---
 scale_test/config.yaml                | 20 ++++++++++++++++-
 scale_test/gw-auth-policy.yaml        |  2 +-
 scale_test/gw-dns-policy.yaml         |  2 +-
 scale_test/gw-rlp.yaml                |  7 +++---
 scale_test/gw-tls-policy.yaml         |  2 +-
 scale_test/gw.yaml                    |  2 +-
 scale_test/httproute-auth-policy.yaml | 20 ++++++++++++++++-
 scale_test/httproute-rlp.yaml         |  7 +++---
 scale_test/httproute.yaml             |  4 +++-
 scale_test/person-secret.yaml         | 12 ++++++++++
 scale_test/readme.md                  | 32 ++++++++++++++++++++++++++-
 11 files changed, 94 insertions(+), 16 deletions(-)
 create mode 100644 scale_test/person-secret.yaml

diff --git a/scale_test/config.yaml b/scale_test/config.yaml
index 4fddd124..51618c1f 100644
--- a/scale_test/config.yaml
+++ b/scale_test/config.yaml
@@ -17,8 +17,12 @@ metricsEndpoints:
       type: local
       metricsDirectory: ./metrics
 {{ end }}
-global: 
+global:
+{{ if .SKIP_CLEANUP }}
+  gc: false
+{{ else }}
   gc: true
+{{ end }}
 jobs: 
   - name: scale-test-preparations
     jobIterations: 1
@@ -44,6 +48,16 @@ jobs:
           KUADRANT_AWS_ACCESS_KEY_ID: "{{ .KUADRANT_AWS_ACCESS_KEY_ID }}"
           KUADRANT_AWS_REGION: "{{ .KUADRANT_AWS_REGION }}"
           KUADRANT_AWS_SECRET_ACCESS_KEY: "{{ .KUADRANT_AWS_SECRET_ACCESS_KEY }}"
+      - objectTemplate: ./person-secret.yaml
+        kind: Secret
+        replicas: 1
+        inputVars:
+          person: "alice"
+      - objectTemplate: ./person-secret.yaml
+        kind: Secret
+        replicas: 1
+        inputVars:
+          person: "bob"
   - name: scale-test-main
     jobIterations: 1
     qps: 1
@@ -122,6 +136,9 @@ jobs:
           LISTENER_NUM: "{{$LISTENER_NUM}}"
   {{- end }}
 {{- end }}
+{{ if .SKIP_CLEANUP }}
+# nothing to do if cleanup is skipped
+{{ else }}
   - name: scale-test-safe-dnspolicy-cleanup
     jobType: delete
     jobIterations: 1
@@ -132,3 +149,4 @@ jobs:
       - kind: DNSPolicy
         apiVersion: kuadrant.io/v1alpha1
         labelSelector: {kube-burner-job: scale-test-main}
+{{ end }}
diff --git a/scale_test/gw-auth-policy.yaml b/scale_test/gw-auth-policy.yaml
index 98ce497a..5561f5e5 100644
--- a/scale_test/gw-auth-policy.yaml
+++ b/scale_test/gw-auth-policy.yaml
@@ -1,5 +1,5 @@
 {{- $GW_NUM := .GW_NUM }}
-apiVersion: kuadrant.io/v1beta3
+apiVersion: kuadrant.io/v1
 kind: AuthPolicy
 metadata:
   name: auth-policy-gw{{$GW_NUM}}-i{{ .Iteration }}
diff --git a/scale_test/gw-dns-policy.yaml b/scale_test/gw-dns-policy.yaml
index 38217dd9..ebadce29 100644
--- a/scale_test/gw-dns-policy.yaml
+++ b/scale_test/gw-dns-policy.yaml
@@ -1,5 +1,5 @@
 {{- $GW_NUM := .GW_NUM }}
-apiVersion: kuadrant.io/v1alpha1
+apiVersion: kuadrant.io/v1
 kind: DNSPolicy
 metadata:
   name: dns-policy-gw{{$GW_NUM}}-i{{ .Iteration }}
diff --git a/scale_test/gw-rlp.yaml b/scale_test/gw-rlp.yaml
index d8df794f..5cd2f403 100644
--- a/scale_test/gw-rlp.yaml
+++ b/scale_test/gw-rlp.yaml
@@ -1,5 +1,5 @@
 {{- $GW_NUM := .GW_NUM }}
-apiVersion: kuadrant.io/v1beta3
+apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: rlp-gw{{$GW_NUM}}-i{{ .Iteration }}
@@ -13,6 +13,5 @@ spec:
   limits:
     "global":
       rates:
-      - limit: 5
-        duration: 10
-        unit: second
+      - limit: 3
+        window: "10s"
diff --git a/scale_test/gw-tls-policy.yaml b/scale_test/gw-tls-policy.yaml
index 1390a71f..60448b6c 100644
--- a/scale_test/gw-tls-policy.yaml
+++ b/scale_test/gw-tls-policy.yaml
@@ -1,5 +1,5 @@
 {{- $GW_NUM := .GW_NUM }}
-apiVersion: kuadrant.io/v1alpha1
+apiVersion: kuadrant.io/v1
 kind: TLSPolicy
 metadata:
   name: tls-policy-gw{{$GW_NUM}}-i{{ .Iteration }}
diff --git a/scale_test/gw.yaml b/scale_test/gw.yaml
index 913e3f61..7885177c 100644
--- a/scale_test/gw.yaml
+++ b/scale_test/gw.yaml
@@ -16,7 +16,7 @@ spec:
   - allowedRoutes: 
       namespaces: 
         from: All
-    hostname: "*.scale-test-gw{{$GW_NUM}}-l{{ $LISTENER_NUM }}-i{{$Iteration}}.{{ $KUADRANT_ZONE_ROOT_DOMAIN }}"
+    hostname: "api.scale-test-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{$Iteration}}.{{$KUADRANT_ZONE_ROOT_DOMAIN}}"
     name: api-{{ $LISTENER_NUM }}
     port: 443
     protocol: HTTPS
diff --git a/scale_test/httproute-auth-policy.yaml b/scale_test/httproute-auth-policy.yaml
index 8d99b12e..aa56afa0 100644
--- a/scale_test/httproute-auth-policy.yaml
+++ b/scale_test/httproute-auth-policy.yaml
@@ -1,6 +1,6 @@
 {{- $GW_NUM := .GW_NUM }}
 {{- $LISTENER_NUM := .LISTENER_NUM }}
-apiVersion: kuadrant.io/v1beta3
+apiVersion: kuadrant.io/v1
 kind: AuthPolicy
 metadata:
   name: httproute-auth-policy-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{ .Iteration }}
@@ -16,3 +16,21 @@ spec:
       allow-all:
         opa:
           rego: "allow = true"
+    authentication:
+      "api-key-users":
+        apiKey:
+          allNamespaces: true
+          selector:
+            matchLabels:
+              app: scale-test
+        credentials:
+          authorizationHeader:
+            prefix: APIKEY
+    response:
+      success:
+        filters:
+          "identity":
+            json:
+              properties:
+                "userid":
+                  selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id
diff --git a/scale_test/httproute-rlp.yaml b/scale_test/httproute-rlp.yaml
index 6886db47..6eac3b3e 100644
--- a/scale_test/httproute-rlp.yaml
+++ b/scale_test/httproute-rlp.yaml
@@ -1,6 +1,6 @@
 {{- $GW_NUM := .GW_NUM }}
 {{- $LISTENER_NUM := .LISTENER_NUM }}
-apiVersion: kuadrant.io/v1beta3
+apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: httproute-rlp-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{ .Iteration }}
@@ -14,6 +14,5 @@ spec:
   limits:
     "httproute-level":
       rates:
-      - limit: 10
-        duration: 10
-        unit: second
+      - limit: 5
+        window: "10s"
diff --git a/scale_test/httproute.yaml b/scale_test/httproute.yaml
index 1311e427..69cd91c2 100644
--- a/scale_test/httproute.yaml
+++ b/scale_test/httproute.yaml
@@ -1,3 +1,5 @@
+{{- $Iteration := .Iteration }}
+{{- $KUADRANT_ZONE_ROOT_DOMAIN := .KUADRANT_ZONE_ROOT_DOMAIN }}
 {{- $GW_NUM := .GW_NUM }}
 {{- $LISTENER_NUM := .LISTENER_NUM }}
 apiVersion: gateway.networking.k8s.io/v1
@@ -12,7 +14,7 @@ spec:
     kind: Gateway
     name: gw{{$GW_NUM}}-i{{ .Iteration }}
   hostnames:
-  - "api.scale-test-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{.Iteration}}.{{ .KUADRANT_ZONE_ROOT_DOMAIN }}"
+  - "api.scale-test-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{$Iteration}}.{{$KUADRANT_ZONE_ROOT_DOMAIN}}"
   rules:
   - backendRefs:
     - group: ''
diff --git a/scale_test/person-secret.yaml b/scale_test/person-secret.yaml
new file mode 100644
index 00000000..bd17654f
--- /dev/null
+++ b/scale_test/person-secret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{.person}}-key
+  labels:
+    authorino.kuadrant.io/managed-by: authorino
+    app: scale-test
+  annotations:
+    secret.kuadrant.io/user-id: {{.person}}
+stringData:
+  api_key: iam{{.person}}
+type: Opaque
diff --git a/scale_test/readme.md b/scale_test/readme.md
index e5ad48d8..8f791eb5 100644
--- a/scale_test/readme.md
+++ b/scale_test/readme.md
@@ -23,6 +23,7 @@ export NUM_LISTENERS=1
 ```
 
 If you want to disable indexing you need to explicitly set related environment variables to an empty string:
+
 ```
 export OS_INDEXING= # to disable indexing
 export ES_SERVER= # to disable indexing
@@ -32,7 +33,36 @@ export ES_SERVER= # to disable indexing
 
 `kube-burner init -c ./config.yaml --timeout 5m --uuid scale-test-$(openssl rand -hex 3)`
 
-Don't forget to increase the timeout if larger number of CRs are to be created.
+Don't forget to increase the timeout if a larger number of CRs are to be created. You might also modify policy templates based on your needs, e.g. increase limits in RateLimitPolicy CR templates etc.
+
+## Cleanup
+
+Automatic cleanup can be skipped:
+
+```
+export SKIP_CLEANUP=true
+```
+
+If so then note the UUID of your scale test run so that you can perform manual cleanup. The DNSPolicy CR needs to be removed manually first. That triggers corresponding DNSRecord CR removal. It is not handled gracefully by Kube Burner cleanup so better to remove it manually beforehand:
+
+```
+kubectl delete dnspolicy [:dns_policy_name] -n scale-test-0
+kube-burner destroy --uuid [:uuid]
+```
+
+## Quick Sanity Check
+
+If cleanup is skipped then quick sanity check that everything works can be done:
+
+```
+curl -k -s -o /dev/null -w "%{http_code}\n" -H "Authorization: APIKEY iamalice" https://api.scale-test-gw1-l1-i0.aws.kua.app-services-dev.net/get # expected result: 200
+
+curl -k -s -o /dev/null -w "%{http_code}\n" -H "Authorization: APIKEY iambob" https://api.scale-test-gw1-l1-i0.aws.kua.app-services-dev.net/get # expected result: 200
+
+curl -k -s -o /dev/null -w "%{http_code}\n" -H "Authorization: APIKEY iamX" https://api.scale-test-gw1-l1-i0.aws.kua.app-services-dev.net/get # expected result: 401
+```
+
+Based on limits configured in RateLimitPolicy CRs these commands can be repeated until `HTTP 429 Too Many Requests` is returned. Omit `-k` if valid certificates are used.
 
 ## Setting up a local cluster for execution