rebase

Author: rcrozean

.github/workflows/build.yaml

@@ -0,0 +1,54 @@
+name: Build and test operator images on push to every branch except main and pull requests
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches-ignore: [main]
+  workflow_dispatch: {}
+jobs:
+  build-test-operator:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+            ~/go/bin/
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - uses: actions/setup-go@v2
+        with:
+          go-version: "1.17.1"
+      - name: Build & Test
+        run: |
+          echo "/usr/local/kubebuilder/bin" >> $GITHUB_PATH
+          make toolchain build test
+        working-directory: operator
+  build-cli:
+    strategy:
+      matrix:
+        os: ["darwin", "linux"]
+        arch: ["amd64"]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+            ~/go/bin/
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - uses: actions/setup-go@v2
+        with:
+          go-version: "1.17.1"
+      - name: Build the KIT CLI
+        run: |
+          GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o ./bin/kitctl ./cmd/kitctl/
+        working-directory: substrate
+

.github/workflows/image.yaml

@@ -0,0 +1,46 @@
+name: Build the operator image and push to public ECR on the main branch
+on:
+  push:
+    branches: [main]
+  workflow_dispatch: {}
+jobs:
+  build-push-docker-image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+            ~/go/bin/
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - uses: actions/setup-go@v2
+        with:
+          go-version: "1.17.1"
+      - name: Build & Test
+        run: |
+          echo "/usr/local/kubebuilder/bin" >> $GITHUB_PATH
+          make toolchain build test
+        working-directory: operator
+      - uses: docker/login-action@v1
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: us-east-1
+      - name: Install KO binary
+        run: |
+          VERSION=0.8.3
+          OS=Linux
+          ARCH=x86_64
+          curl -L https://github.com/google/ko/releases/download/v${VERSION}/ko_${VERSION}_${OS}_${ARCH}.tar.gz | tar xzf - ko
+          chmod +x ./ko
+          mv ko ~/go/bin/
+      - name: Push to ECR public
+        run: |
+          KO_DOCKER_REPO=public.ecr.aws/i7d3g4r4/kit-operator ko publish --bare ./cmd/controller
+        working-directory: operator

.github/workflows/release.yaml

@@ -0,0 +1,97 @@
+name: Release operator version, generates a new Docker image and helm charts
+on:
+  push:
+    tags: ["v*"]
+  workflow_dispatch: {}
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.17.1"
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+            ~/go/bin/
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - uses: docker/login-action@v1
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        env:
+          AWS_REGION: us-east-1
+      - name: Install KO binary
+        run: |
+          VERSION=0.8.3
+          OS=Linux
+          ARCH=x86_64
+          curl -L https://github.com/google/ko/releases/download/v${VERSION}/ko_${VERSION}_${OS}_${ARCH}.tar.gz | tar xzf - ko
+          chmod +x ./ko
+          mv ko /usr/local/bin/
+      - name: Push to ECR public
+        run: |
+          make publish
+        working-directory: operator
+      - run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+      - uses: helm/[email protected]
+        with:
+          charts_dir: operator/charts
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+  release-cli:
+    strategy:
+      matrix:
+        os: ["darwin"]
+        arch: ["amd64"]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+            ~/go/bin/
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Set env
+        run: |
+          echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.17.1"
+      - name: Build the KIT CLI
+        run: |
+          GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o ./bin/kitctl ./cmd/kitctl/
+          zip ./bin/kitctl_${{ env.RELEASE_VERSION }}_${{ matrix.os }}_${{ matrix.arch }}.zip -j ./bin/kitctl
+        working-directory: substrate
+      - name: Attach the binary to release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: "./substrate/bin/kitctl_${{ env.RELEASE_VERSION }}_${{ matrix.os }}_${{ matrix.arch }}.zip"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Update brew formulae
+        uses: mislav/bump-homebrew-formula-action@v1
+        with:
+          formula-name: kitctl
+          formula-path: kitctl.rb
+          homebrew-tap: awslabs/kubernetes-iteration-toolkit
+          base-branch: main
+          download-url: https://github.com/awslabs/kubernetes-iteration-toolkit/releases/download/${{ env.RELEASE_VERSION }}/kitctl_${{ env.RELEASE_VERSION }}_${{ matrix.os }}_${{ matrix.arch }}.zip
+          commit-message: |
+            Update kitctl to ${{ env.RELEASE_VERSION }}
+            Created by Github actions during Release CLI action
+        env:
+          COMMITTER_TOKEN: ${{ secrets.UPLOAD_GITHUB_TOKEN }}

tests/assets/eks-pod-identity/config.yaml

@@ -0,0 +1,84 @@
+{{$namespacePrefix := DefaultParam .CL2_NAMESPACE_PREFIX "default"}}
+{{$namespaceCount := DefaultParam .CL2_NAMESPACE_COUNT 1}}
+{{$totalEksPodIdentityPods := DefaultParam .CL2_EKS_POD_IDENTITY_PODS 5000}}
+{{$timeoutEksPodIdentityPodCreation := DefaultParam .CL2_TIMEOUT_EKS_POD_IDENTITY_POD_CREATION "5m"}}
+{{$defaultQps := DefaultParam .CL2_DEFAULT_QPS  500}}
+{{$defaultBurst := DefaultParam .CL2_DEFAULT_BURST 1000}}
+{{$uniformQps := DefaultParam .CL2_UNIFORM_QPS 500}}
+
+{{$SCHEDULER_THROUGHPUT_THRESHOLD := DefaultParam .CL2_SCHEDULER_THROUGHPUT_THRESHOLD 100}}
+
+name: eks-pod-identity
+tuningSets:
+# default is a tuningset that is meant to be used when we don't have any specific requirements on pace of operations.
+- name: default
+  globalQPSLoad:
+    qps: {{$defaultQps}}
+    burst: {{$defaultBurst}}
+- name: UniformQPS
+  qpsLoad:
+    qps: {{$uniformQps}}
+steps:
+- name: Creating eks pod identity measurements
+  measurements:
+  - Identifier: EksPodIdentityPodStartupLatency
+    Method: PodStartupLatency
+    Params:
+      action: start
+      labelSelector: group = eks-pod-identity
+      threshold: 300s
+  - Identifier: EksPodIdentity
+# TODO: Move to SchedulingThroughputPrometheus which requires cl2 prom stack setup as pre-req
+    Method: SchedulingThroughput
+    Params:
+      action: start
+      labelSelector: group = eks-pod-identity
+      measurmentInterval: 1s
+# a pod identity association with (namespace: default, sa: default) is created as prerequisite
+- name: create eks pod identity pods
+  phases:
+  - namespaceRange:
+      min: 1
+      max: {{$namespaceCount}}
+      baseName: {{$namespacePrefix}}
+    replicasPerNamespace: {{$totalEksPodIdentityPods}}
+    tuningSet: UniformQPS
+    objectBundle:
+    - basename: eks-pod-identity
+      objectTemplatePath: pod-default.yaml
+      templateFillMap:
+        Group: eks-pod-identity
+- name: Waiting for eks pod identity pods to be created
+  measurements:
+  - Identifier: WaitForEksPodIdentityPods
+    Method: WaitForRunningPods
+    Params:
+      action: gather
+      timeout: {{$timeoutEksPodIdentityPodCreation}}
+      desiredPodCount: {{$totalEksPodIdentityPods}}
+      labelSelector: group = eks-pod-identity
+- name: Collecting eks pod identity measurements
+  measurements:
+  - Identifier: EksPodIdentityPodStartupLatency
+    Method: PodStartupLatency
+    Params:
+      action: gather
+  - Identifier: EksPodIdentity
+    Method: SchedulingThroughput
+    Params:
+      action: gather
+      enableViolations: true
+      threshold: {{$SCHEDULER_THROUGHPUT_THRESHOLD}}
+- name: Delete eks pod identity pods
+  phases:
+  - namespaceRange:
+      min: 1
+      max: {{$namespaceCount}}
+      baseName: {{$namespacePrefix}}
+    replicasPerNamespace: 0
+    tuningSet: default
+    objectBundle:
+    - basename: eks-pod-identity
+      objectTemplatePath: pod-default.yaml
+      templateFillMap:
+        Group: eks-pod-identity

tests/assets/eks-pod-identity/pia-trust-policy.json

@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "beta.pods.eks.aws.internal"
+        },
+        "Action": [
+          "sts:AssumeRole",
+          "sts:TagSession"
+        ]
+      }
+    ]
+}

tests/assets/eks-pod-identity/pod-default.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  generateName: eks-pod-identity-pod-churn-
+  labels:
+    group: {{.Group}}
+spec:
+  containers:
+  - image: registry.k8s.io/pause:3.9
+    name: pause
+  initContainers:
+  - name: app-init
+    image: amazon/aws-cli:latest
+    command: ["/bin/sh"]
+    args: ["-c", "aws sts get-caller-identity"]