Security fixes ; KIT tekton tasks and flux integration; KIT Tekton Pipeline periodics (#45)

* security vulnerabilities fix; Kit tekton tasks; pipeline periodics;

Co-authored-by: Harish Kuna <[email protected]>

Author: hakuna-matatah

testbed/addons/awslb/construct.ts

@@ -23,7 +23,7 @@ export class AWSLoadBalancerController extends cdk.Construct {
             managedPolicyArn: `arn:aws:iam::aws:policy/AdministratorAccess`
         });
 
-        const manifest = props.cluster.addManifest('awsLbcCrdManifest', ...yaml.loadAll(request.default('GET', 'https://raw.githubusercontent.com/aws/eks-charts/master/stable/aws-load-balancer-controller/crds/crds.yaml').getBody().toString()));
+        const manifest = props.cluster.addManifest('awsLbcCrdManifest', ...yaml.loadAll(request.default('GET', 'https://raw.githubusercontent.com/aws/eks-charts/master/stable/aws-load-balancer-controller/crds/crds.yaml').getBody().toString()) as [Record<string,unknown>]);
 
         const chart = props.cluster.addHelmChart('AWSLBCHelmChart', {
             chart: 'aws-load-balancer-controller',

testbed/addons/flux/construct.ts

@@ -20,7 +20,7 @@ export class Flux extends cdk.Construct {
 
         const fluxManifest = props.cluster.addManifest(
             'flux', ...yaml.loadAll(request.default(
-                "GET", "https://github.com/fluxcd/flux2/releases/download/v0.15.0/install.yaml").getBody().toString()));
+                "GET", "https://github.com/fluxcd/flux2/releases/download/v0.15.0/install.yaml").getBody().toString()) as [Record<string,unknown>]);
 
         props.repositories.forEach(function (value, index) {
             // Bootstrap manifests

testbed/addons/kit/construct.ts

@@ -75,9 +75,8 @@ export class Kit extends cdk.Construct {
 
         // Install kit
         const chart = props.cluster.addHelmChart('kit', {
-            chart: 'kit',
-            release: 'kit',
-            version: 'v0.0.1',
+            chart: 'kit-operator',
+            release: 'kit-operator',
             repository: 'https://github.com/awslabs/kubernetes-iteration-toolkit/tree/main/operator/charts/kit-operator',
             namespace: namespace,
             createNamespace: false,

testbed/package-lock.json

@@ -10,22 +10,21 @@
     "cdk": "cdk"
   },
   "devDependencies": {
-    "@aws-cdk/assert": "1.108.1",
-    "@types/jest": "^26.0.10",
-    "@types/js-yaml": "^4.0.1",
+    "@aws-cdk/assert": "^1.127.0",
+    "@types/jest": "^26.0.24",
+    "@types/js-yaml": "^4.0.3",
     "@types/node": "10.17.27",
-    "aws-cdk": "1.108.1",
-    "jest": "^26.4.2",
+    "aws-cdk": "^1.127.0",
+    "jest": "^27.2.5",
     "ts-jest": "^26.2.0",
     "ts-node": "^9.0.0",
     "typescript": "~3.9.7"
   },
   "dependencies": {
-    "@aws-cdk/aws-ec2": "1.108.1",
-    "@aws-cdk/aws-eks": "1.108.1",
-    "@aws-cdk/aws-iam": "1.108.1",
-    "@aws-cdk/core": "1.108.1",
-    "@types/js-yaml": "^4.0.1",
+    "@aws-cdk/aws-ec2": "1.127.0",
+    "@aws-cdk/aws-eks": "1.127.0",
+    "@aws-cdk/aws-iam": "1.127.0",
+    "@aws-cdk/core": "1.127.0",
     "js-yaml": "^4.0.1",
     "sync-request": "6.1.0"
   }

testbed/package.json

@@ -6,3 +6,6 @@ resources:
 - tasks/setup/eksctl/default.yaml
 - tasks/teardown/eksctl.yaml
 - pipelines/eks/upstream-load.yaml
+- tasks/setup/kit-cluster/default.yaml
+- tasks/teardown/kit.yaml
+- pipelines/kit/upstream-load.yaml

tests/kustomization.yaml

@@ -0,0 +1,88 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Pipeline
+metadata:
+  name: kitloadtest
+spec:
+  workspaces:
+    - name: config
+    - name: source
+    - name: results
+  params:
+  - name: cluster-name
+    description: The name of the kit cluster you want to spin.
+  - name: host-cluster-region
+    default: "us-west-2"
+    description: The region where the Host EKS cluster is in.
+  - name: guest-cluster-region
+    default: "us-west-2"
+    description: The region where the kit cluster is created.
+  - name: control-plane-spec
+    description:  url to the controlplane spec.
+  - name: dataplane-spec
+    description: url to the dataplane spec.
+  - name: giturl
+    description: "git url to clone the package"
+    default: https://github.com/kubernetes/perf-tests.git
+  - name: pods-per-node
+    description: "pod density"
+    default: "10"
+  - name: nodes-per-namespace
+    description:  "nodes per namespace to get created for load test "
+    default: "100"
+  - name: cl2-load-test-throughput
+    description: "throughput used for mutate operations"
+    default: "15"
+  - name: results-bucket
+    description: "Results bucket with path of s3 to upload results"
+  - name: desired-nodes
+    description: The desired number of nodes in the cluster which we define in DataPlane spec.
+  tasks:
+  - name: create-kit-cluster
+    taskRef:
+      name: kit-cluster-create
+    params:
+      - name: cluster-name
+        value: '$(params.cluster-name)'
+      - name: host-cluster-region
+        value: '$(params.host-cluster-region)'
+      - name: guest-cluster-region
+        value: '$(params.guest-cluster-region)'
+      - name: control-plane-spec
+        value: '$(params.control-plane-spec)'
+      - name: dataplane-spec
+        value: '$(params.dataplane-spec)'
+    workspaces:
+      - name: config    
+        workspace: config
+  - name: generate
+    runAfter: [create-kit-cluster]
+    taskRef:
+      name: load
+    params:
+      - name: giturl
+        value: '$(params.giturl)'
+      - name: pods-per-node
+        value: '$(params.pods-per-node)'
+      - name: nodes-per-namespace
+        value: '$(params.nodes-per-namespace)'
+      - name: cl2-load-test-throughput
+        value: '$(params.cl2-load-test-throughput)'
+      - name: results-bucket
+        value: '$(params.results-bucket)'
+      - name: nodes
+        value: '$(params.desired-nodes)'
+    workspaces:
+      - name: source
+        workspace: source
+      - name: config    
+        workspace: config
+      - name: results
+        workspace: results
+  - name: teardown
+    runAfter: [generate]
+    taskRef:
+      name: kit-cluster-teardown
+    params:
+      - name: cluster-name
+        value: '$(params.cluster-name)'

tests/pipelines/kit/upstream-load.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: kit-cluster-create
+spec:
+  description: |
+    Create a KIT cluster.
+    This Task can be used to create an KIT cluster in an AWS account and write a kubeconfig to a desired location that
+    can be used by other tasks (in a context with kubectl) to make requests to the cluster.
+  params:
+  - name: cluster-name
+    description: The name of the KIT cluster you want to spin.
+  - name: host-cluster-region
+    default: "us-west-2"
+    description: The region where the Host EKS cluster is in.
+  - name: guest-cluster-region
+    default: "us-west-2"
+    description: The region where the kit cluster is created.
+  - name: control-plane-spec
+    description:  url to the controlplane spec.
+  - name: dataplane-spec
+    description: url to the dataplane spec.
+  workspaces:
+  - name: config
+    description: |
+      A workspace into which a kubeconfig file called `kubeconfig` for Guest(kit-type) cluster will be written that will contain the information required to access the cluster.
+  steps:
+  - name: write-kubeconfig
+    image: amazon/aws-cli
+    script: |
+      curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+      install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+      kubectl version
+      aws eks update-kubeconfig --name testbed --region $(params.host-cluster-region)
+      kubectl config current-context
+      #Provision a control plane for the guest cluster
+      kubectl create -f $(params.control-plane-spec)
+      #Provision a dataplane plane for the guest cluster
+      kubectl create -f $(params.dataplane-spec)
+      #Get the admin KUBECONFIG for the guest cluster from the substrate cluster
+      kubectl get secret $(params.cluster-name)-kube-admin-config -ojsonpath='{.data.config}' | base64 -d > $(workspaces.config.path)/kubeconfig
+      #Deploy CNI plugin to the guest cluster for the nodes to be ready.
+      #Todo: CNI installation only works for `us-west-2`, yet to decide how to tackle other regions.
+      kubectl --kubeconfig=$(workspaces.config.path)/kubeconfig apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/master/config/v1.9/aws-k8s-cni.yaml
+      sleep 300

tests/tasks/setup/kit-cluster/default.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: kit-cluster-teardown
+spec:
+  description: |
+    Teardown an KIT cluster.
+    This Task can be used to teardown an KIT cluster in an AWS account.
+  params:
+  - name: cluster-name
+    description: The name of the EKS cluster which will be teared down.
+  steps:
+  - name: delete-cluster
+    image: amazon/aws-cli
+    script: |
+      kubectl version
+      aws eks update-kubeconfig --name testbed --region $(params.host-cluster-region)
+      kubectl config current-context 
+      #delete kit controlplane spec and dataplane spec crds
+      kubectl delete ControlPlane --name $(params.cluster-name)

tests/tasks/teardown/kit.yaml

@@ -0,0 +1,61 @@
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: kit-small-upstream-load
+spec:
+  schedule: "0 8 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: curl
+            image: curlimages/curl
+            args: ["curl", "-X", "POST", "--data", "{}", "el-kit-small-upstream-load.default.svc.cluster.local:8080"]
+          restartPolicy: Never
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerBinding
+metadata:
+  name: kit-small-upstream-load
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: EventListener
+metadata:
+  name: kit-small-upstream-load
+spec:
+  serviceAccountName: tekton-triggers
+  triggers:
+    - name: cron
+      bindings:
+      - ref: kit-small-upstream-load
+      template:
+        ref: kit-small-upstream-load 
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerTemplate
+metadata:
+  name: kit-small-upstream-load
+spec:
+  resourcetemplates:
+  - apiVersion: tekton.dev/v1beta1
+    kind: PipelineRun
+    metadata:
+      generateName: kit-small-upstream-load-
+    spec:
+      pipelineRef:
+        name: loadtest
+      serviceAccountName: test-executor
+      workspaces:
+      - name: source
+        emptyDir: {}
+      - name: config
+        emptyDir: {}
+      - name: results
+        emptyDir: {}
+      params:
+      - name: cluster-name
+        value: "kit-small"
+      - name: results-bucket
+        value: "kit-scalability-dev/$(date +'%Y/%m/%d/%HH/%mm)/$(context.pipelineRun.uid)"