Added apikey Auth and v1 updates to scale test policies

Signed-off-by: Tomas Repel <[email protected]>
Kuadrant · Nov 15, 2024 · bdf9ecc · bdf9ecc
1 parent 8b22c80
commit bdf9ecc
Show file tree

Hide file tree

Showing 11 changed files with 94 additions and 16 deletions.
diff --git a/scale_test/config.yaml b/scale_test/config.yaml
@@ -17,8 +17,12 @@ metricsEndpoints:
       type: local
       metricsDirectory: ./metrics
 {{ end }}
-global: 
+global:
+{{ if .SKIP_CLEANUP }}
+  gc: false
+{{ else }}
   gc: true
+{{ end }}
 jobs: 
   - name: scale-test-preparations
     jobIterations: 1
@@ -44,6 +48,16 @@ jobs:
           KUADRANT_AWS_ACCESS_KEY_ID: "{{ .KUADRANT_AWS_ACCESS_KEY_ID }}"
           KUADRANT_AWS_REGION: "{{ .KUADRANT_AWS_REGION }}"
           KUADRANT_AWS_SECRET_ACCESS_KEY: "{{ .KUADRANT_AWS_SECRET_ACCESS_KEY }}"
+      - objectTemplate: ./person-secret.yaml
+        kind: Secret
+        replicas: 1
+        inputVars:
+          person: "alice"
+      - objectTemplate: ./person-secret.yaml
+        kind: Secret
+        replicas: 1
+        inputVars:
+          person: "bob"
   - name: scale-test-main
     jobIterations: 1
     qps: 1
@@ -122,6 +136,9 @@ jobs:
           LISTENER_NUM: "{{$LISTENER_NUM}}"
   {{- end }}
 {{- end }}
+{{ if .SKIP_CLEANUP }}
+# nothing to do if cleanup is skipped
+{{ else }}
   - name: scale-test-safe-dnspolicy-cleanup
     jobType: delete
     jobIterations: 1
@@ -132,3 +149,4 @@ jobs:
       - kind: DNSPolicy
         apiVersion: kuadrant.io/v1alpha1
         labelSelector: {kube-burner-job: scale-test-main}
+{{ end }}
diff --git a/scale_test/gw-auth-policy.yaml b/scale_test/gw-auth-policy.yaml
@@ -1,5 +1,5 @@
 {{- $GW_NUM := .GW_NUM }}
-apiVersion: kuadrant.io/v1beta3
+apiVersion: kuadrant.io/v1
 kind: AuthPolicy
 metadata:
   name: auth-policy-gw{{$GW_NUM}}-i{{ .Iteration }}

diff --git a/scale_test/gw-dns-policy.yaml b/scale_test/gw-dns-policy.yaml
@@ -1,5 +1,5 @@
 {{- $GW_NUM := .GW_NUM }}
-apiVersion: kuadrant.io/v1alpha1
+apiVersion: kuadrant.io/v1
 kind: DNSPolicy
 metadata:
   name: dns-policy-gw{{$GW_NUM}}-i{{ .Iteration }}

diff --git a/scale_test/gw-rlp.yaml b/scale_test/gw-rlp.yaml
@@ -1,5 +1,5 @@
 {{- $GW_NUM := .GW_NUM }}
-apiVersion: kuadrant.io/v1beta3
+apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: rlp-gw{{$GW_NUM}}-i{{ .Iteration }}
@@ -13,6 +13,5 @@ spec:
   limits:
     "global":
       rates:
-      - limit: 5
-        duration: 10
-        unit: second
+      - limit: 3
+        window: "10s"
diff --git a/scale_test/gw-tls-policy.yaml b/scale_test/gw-tls-policy.yaml
@@ -1,5 +1,5 @@
 {{- $GW_NUM := .GW_NUM }}
-apiVersion: kuadrant.io/v1alpha1
+apiVersion: kuadrant.io/v1
 kind: TLSPolicy
 metadata:
   name: tls-policy-gw{{$GW_NUM}}-i{{ .Iteration }}

diff --git a/scale_test/gw.yaml b/scale_test/gw.yaml
@@ -16,7 +16,7 @@ spec:
   - allowedRoutes: 
       namespaces: 
         from: All
-    hostname: "*.scale-test-gw{{$GW_NUM}}-l{{ $LISTENER_NUM }}-i{{$Iteration}}.{{ $KUADRANT_ZONE_ROOT_DOMAIN }}"
+    hostname: "api.scale-test-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{$Iteration}}.{{$KUADRANT_ZONE_ROOT_DOMAIN}}"
     name: api-{{ $LISTENER_NUM }}
     port: 443
     protocol: HTTPS

diff --git a/scale_test/httproute-auth-policy.yaml b/scale_test/httproute-auth-policy.yaml
@@ -1,6 +1,6 @@
 {{- $GW_NUM := .GW_NUM }}
 {{- $LISTENER_NUM := .LISTENER_NUM }}
-apiVersion: kuadrant.io/v1beta3
+apiVersion: kuadrant.io/v1
 kind: AuthPolicy
 metadata:
   name: httproute-auth-policy-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{ .Iteration }}
@@ -16,3 +16,21 @@ spec:
       allow-all:
         opa:
           rego: "allow = true"
+    authentication:
+      "api-key-users":
+        apiKey:
+          allNamespaces: true
+          selector:
+            matchLabels:
+              app: scale-test
+        credentials:
+          authorizationHeader:
+            prefix: APIKEY
+    response:
+      success:
+        filters:
+          "identity":
+            json:
+              properties:
+                "userid":
+                  selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id
diff --git a/scale_test/httproute-rlp.yaml b/scale_test/httproute-rlp.yaml
@@ -1,6 +1,6 @@
 {{- $GW_NUM := .GW_NUM }}
 {{- $LISTENER_NUM := .LISTENER_NUM }}
-apiVersion: kuadrant.io/v1beta3
+apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: httproute-rlp-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{ .Iteration }}
@@ -14,6 +14,5 @@ spec:
   limits:
     "httproute-level":
       rates:
-      - limit: 10
-        duration: 10
-        unit: second
+      - limit: 5
+        window: "10s"
diff --git a/scale_test/httproute.yaml b/scale_test/httproute.yaml
@@ -1,3 +1,5 @@
+{{- $Iteration := .Iteration }}
+{{- $KUADRANT_ZONE_ROOT_DOMAIN := .KUADRANT_ZONE_ROOT_DOMAIN }}
 {{- $GW_NUM := .GW_NUM }}
 {{- $LISTENER_NUM := .LISTENER_NUM }}
 apiVersion: gateway.networking.k8s.io/v1
@@ -12,7 +14,7 @@ spec:
     kind: Gateway
     name: gw{{$GW_NUM}}-i{{ .Iteration }}
   hostnames:
-  - "api.scale-test-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{.Iteration}}.{{ .KUADRANT_ZONE_ROOT_DOMAIN }}"
+  - "api.scale-test-gw{{$GW_NUM}}-l{{$LISTENER_NUM}}-i{{$Iteration}}.{{$KUADRANT_ZONE_ROOT_DOMAIN}}"
   rules:
   - backendRefs:
     - group: ''

diff --git a/scale_test/person-secret.yaml b/scale_test/person-secret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{.person}}-key
+  labels:
+    authorino.kuadrant.io/managed-by: authorino
+    app: scale-test
+  annotations:
+    secret.kuadrant.io/user-id: {{.person}}
+stringData:
+  api_key: iam{{.person}}
+type: Opaque
diff --git a/scale_test/readme.md b/scale_test/readme.md
@@ -23,6 +23,7 @@ export NUM_LISTENERS=1
 ```
 
 If you want to disable indexing you need to explicitly set related environment variables to an empty string:
+
 ```
 export OS_INDEXING= # to disable indexing
 export ES_SERVER= # to disable indexing
@@ -32,7 +33,36 @@ export ES_SERVER= # to disable indexing
 
 `kube-burner init -c ./config.yaml --timeout 5m --uuid scale-test-$(openssl rand -hex 3)`
 
-Don't forget to increase the timeout if larger number of CRs are to be created.
+Don't forget to increase the timeout if a larger number of CRs are to be created. You might also modify policy templates based on your needs, e.g. increase limits in RateLimitPolicy CR templates etc.
+
+## Cleanup
+
+Automatic cleanup can be skipped:
+
+```
+export SKIP_CLEANUP=true
+```
+
+If so then note the UUID of your scale test run so that you can perform manual cleanup. The DNSPolicy CR needs to be removed manually first. That triggers corresponding DNSRecord CR removal. It is not handled gracefully by Kube Burner cleanup so better to remove it manually beforehand:
+
+```
+kubectl delete dnspolicy [:dns_policy_name] -n scale-test-0
+kube-burner destroy --uuid [:uuid]
+```
+
+## Quick Sanity Check
+
+If cleanup is skipped then quick sanity check that everything works can be done:
+
+```
+curl -k -s -o /dev/null -w "%{http_code}\n" -H "Authorization: APIKEY iamalice" https://api.scale-test-gw1-l1-i0.aws.kua.app-services-dev.net/get # expected result: 200
+
+curl -k -s -o /dev/null -w "%{http_code}\n" -H "Authorization: APIKEY iambob" https://api.scale-test-gw1-l1-i0.aws.kua.app-services-dev.net/get # expected result: 200
+
+curl -k -s -o /dev/null -w "%{http_code}\n" -H "Authorization: APIKEY iamX" https://api.scale-test-gw1-l1-i0.aws.kua.app-services-dev.net/get # expected result: 401
+```
+
+Based on limits configured in RateLimitPolicy CRs these commands can be repeated until `HTTP 429 Too Many Requests` is returned. Omit `-k` if valid certificates are used.
 
 ## Setting up a local cluster for execution