Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions cmd/cluster-authentication-operator-tests-ext/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (

_ "github.com/openshift/cluster-authentication-operator/test/e2e"
_ "github.com/openshift/cluster-authentication-operator/test/e2e-encryption-kms"
_ "github.com/openshift/cluster-authentication-operator/test/e2e-encryption-perf"

"k8s.io/klog/v2"
)
Expand Down Expand Up @@ -92,6 +93,16 @@ func prepareOperatorTestsRegistry() (*oteextension.Registry, error) {
ClusterStability: oteextension.ClusterStabilityDisruptive,
})

// ClusterStability set to Disruptive: encryption perf tests trigger API server rollouts.
extension.AddSuite(oteextension.Suite{
Name: "openshift/cluster-authentication-operator/operator-encryption-perf/serial",
Parallelism: 1,
ClusterStability: oteextension.ClusterStabilityDisruptive,
Qualifiers: []string{
`name.contains("[Encryption]") && name.contains("[Serial]") && name.contains("Perf")`,
},
})

// The following suite runs KMS encryption tests.
extension.AddSuite(oteextension.Suite{
Name: "openshift/cluster-authentication-operator/encryption-kms",
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ require (
github.com/openshift/api v0.0.0-20260623101811-c5eb460d04e3
github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af
github.com/openshift/client-go v0.0.0-20260622130833-df412d4d283e
github.com/openshift/library-go v0.0.0-20260629134817-a64e9a6e21ca
github.com/openshift/library-go v0.0.0-20260630085645-45679084a74b
github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d
github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412
github.com/spf13/cobra v1.10.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -178,8 +178,8 @@ github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af h1:Ui
github.com/openshift/build-machinery-go v0.0.0-20251023084048-5d77c1a5e5af/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
github.com/openshift/client-go v0.0.0-20260622130833-df412d4d283e h1:NrVmCwy3vBk6UTY+cNNFHbnB40FyusJmeUIInQod/v8=
github.com/openshift/client-go v0.0.0-20260622130833-df412d4d283e/go.mod h1:lMQvYPtn6LrPO/YX2j5xdv2h6BRWgYVq1tMA3qA3N9k=
github.com/openshift/library-go v0.0.0-20260629134817-a64e9a6e21ca h1:oaM6++TO9YY9T2w1QMANcqlWY2Qc3qHkkehaFVpgPxg=
github.com/openshift/library-go v0.0.0-20260629134817-a64e9a6e21ca/go.mod h1:8d0qQEDq2kpIZmaE1tKpvZ4pLeQZT+mW2JpqAh3iZIc=
github.com/openshift/library-go v0.0.0-20260630085645-45679084a74b h1:cvaJORPgfCAZeFI+JqlaOvFosGJHd/fX2vOQZCTeTPU=
github.com/openshift/library-go v0.0.0-20260630085645-45679084a74b/go.mod h1:8d0qQEDq2kpIZmaE1tKpvZ4pLeQZT+mW2JpqAh3iZIc=
github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d h1:Rzx23P63JFNNz5D23ubhC0FCN5rK8CeJhKcq5QKcdyU=
github.com/openshift/multi-operator-manager v0.0.0-20241205181422-20aa3906b99d/go.mod h1:iVi9Bopa5cLhjG5ie9DoZVVqkH8BGb1FQVTtecOLn4I=
github.com/openshift/oauth-apiserver v0.0.0-20260520145010-97a820bd5412 h1:oDB0GmUXLp8y85fWz+LGRE0hM5JqbXTfNPi5GjEqiX0=
Expand Down
112 changes: 112 additions & 0 deletions test/e2e-encryption-perf/encryption_perf.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
package e2e_encryption_perf

import (
"context"
"fmt"
"testing"
"time"

g "github.com/onsi/ginkgo/v2"
"github.com/stretchr/testify/require"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"

configv1 "github.com/openshift/api/config/v1"
oauthapiv1 "github.com/openshift/api/oauth/v1"
operatorv1 "github.com/openshift/api/operator/v1"
oauthclient "github.com/openshift/client-go/oauth/clientset/versioned/typed/oauth/v1"
operatorlibrary "github.com/openshift/cluster-authentication-operator/test/library"
operatorencryption "github.com/openshift/cluster-authentication-operator/test/library/encryption"
library "github.com/openshift/library-go/test/library/encryption"
)

const (
tokenStatsKey = "created oauthaccesstokens"
)

var _ = g.Describe("[sig-auth] authentication operator", func() {
g.It("[Encryption][Serial] TestPerfEncryptionTypeAESCBC", func(ctx context.Context) {
testPerfEncryptionTypeAESCBC(ctx, g.GinkgoTB())
})
})

func testPerfEncryptionTypeAESCBC(ctx context.Context, tt testing.TB) {
ctx, cancel := context.WithTimeout(ctx, 30*time.Minute)
tt.Cleanup(cancel)
clientSet := getPerfClients(tt)
library.TestPerfEncryption(ctx, tt, library.PerfScenario{
BasicScenario: library.BasicScenario{
Namespace: "openshift-config-managed",
LabelSelector: "encryption.apiserver.operator.openshift.io/component" + "=" + "openshift-oauth-apiserver",
EncryptionConfigSecretName: fmt.Sprintf("encryption-config-%s", "openshift-oauth-apiserver"),
EncryptionConfigSecretNamespace: "openshift-config-managed",
OperatorNamespace: "openshift-authentication-operator",
TargetGRs: operatorencryption.DefaultTargetGRs,
AssertFunc: operatorencryption.AssertTokens,
},
GetOperatorConditionsFunc: func(t testing.TB) ([]operatorv1.OperatorCondition, error) {
apiServerOperator, err := clientSet.OperatorClient.Get(ctx, "cluster", metav1.GetOptions{})
if err != nil {
return nil, err
}
return apiServerOperator.Status.Conditions, nil
},
AssertDBPopulatedFunc: func(t testing.TB, errorStore map[string]int, statStore map[string]int) {
require.Empty(t, errorStore, "db loader workers reported errors")

tokenCount, ok := statStore[tokenStatsKey]
require.True(t, ok, "missing oauth access tokens count stats")
require.GreaterOrEqual(t, tokenCount, 14000)
t.Logf("Created %d access tokens", tokenCount)
},
Comment thread
ropatil010 marked this conversation as resolved.
AssertMigrationTime: func(t testing.TB, migrationTime time.Duration) {
t.Logf("migration took %v", migrationTime)
expectedMigrationTime := 10 * time.Minute
if migrationTime > expectedMigrationTime {
t.Errorf("migration took too long (%v), expected it to take no more than %v", migrationTime, expectedMigrationTime)
}
},
DBLoaderWorkers: 3,
DBLoaderFunc: library.DBLoaderRepeat(1, false,
library.DBLoaderRepeatParallel(5010, 50, false, createAccessTokenWrapper(ctx, clientSet.TokenClient), reportSecret)),
EncryptionProvider: library.EncryptionProvider{
APIServerEncryption: configv1.APIServerEncryption{Type: configv1.EncryptionTypeAESCBC},
},
})
}

func createAccessTokenWrapper(ctx context.Context, tokenClient oauthclient.OAuthAccessTokensGetter) library.DBLoaderFuncType {
return func(_ kubernetes.Interface, namespace string, errorCollector func(error), statsCollector func(string)) error {
_, tokenNameHash := operatorlibrary.GenerateOAuthTokenPair()
token := &oauthapiv1.OAuthAccessToken{
ObjectMeta: metav1.ObjectMeta{
Name: tokenNameHash,
},
RefreshToken: "I have no special talents. I am only passionately curious",
UserName: "kube:admin",
Scopes: []string{"user:full"},
RedirectURI: "redirect.me.to.token.of.life",
ClientName: "console",
UserUID: "non-existing-user-id",
}
_, err := tokenClient.OAuthAccessTokens().Create(ctx, token, metav1.CreateOptions{})
return err
}
}

func reportSecret(_ kubernetes.Interface, _ string, _ func(error), statsCollector func(string)) error {
statsCollector(tokenStatsKey)
return nil
}

func getPerfClients(t testing.TB) operatorencryption.ClientSet {
t.Helper()

kubeConfig := operatorlibrary.NewClientConfigForTest(t)

kubeConfig.QPS = 300
kubeConfig.Burst = 600

return operatorencryption.GetClientsFor(t, kubeConfig)
}
107 changes: 6 additions & 101 deletions test/e2e-encryption-perf/encryption_perf_test.go
Original file line number Diff line number Diff line change
@@ -1,109 +1,14 @@
package e2e_encryption_perf

import (
"context"
"errors"
"fmt"
"testing"
"time"

"github.com/stretchr/testify/require"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"

configv1 "github.com/openshift/api/config/v1"
oauthapiv1 "github.com/openshift/api/oauth/v1"
operatorv1 "github.com/openshift/api/operator/v1"
oauthclient "github.com/openshift/client-go/oauth/clientset/versioned/typed/oauth/v1"
operatorlibrary "github.com/openshift/cluster-authentication-operator/test/library"
operatorencryption "github.com/openshift/cluster-authentication-operator/test/library/encryption"
library "github.com/openshift/library-go/test/library/encryption"
)

const (
tokenStatsKey = "created oauthaccesstokens"
)

// This test calls the shared test function which
// can be called from both standard Go tests and Ginkgo tests.
//
// This situation is temporary until we verify the new e2e-aws-operator-encryption-perf-serial-ote job.
// Eventually all tests will be run only as part of the OTE framework.
func TestPerfEncryptionTypeAESCBC(tt *testing.T) {
ctx := context.TODO()
clientSet := getPerfClients(tt)
library.TestPerfEncryption(tt.Context(), tt, library.PerfScenario{
BasicScenario: library.BasicScenario{
Namespace: "openshift-config-managed",
LabelSelector: "encryption.apiserver.operator.openshift.io/component" + "=" + "openshift-oauth-apiserver",
EncryptionConfigSecretName: fmt.Sprintf("encryption-config-%s", "openshift-oauth-apiserver"),
EncryptionConfigSecretNamespace: "openshift-config-managed",
OperatorNamespace: "openshift-authentication-operator",
TargetGRs: operatorencryption.DefaultTargetGRs,
AssertFunc: operatorencryption.AssertTokens,
},
GetOperatorConditionsFunc: func(t testing.TB) ([]operatorv1.OperatorCondition, error) {
apiServerOperator, err := clientSet.OperatorClient.Get(ctx, "cluster", metav1.GetOptions{})
if err != nil {
return nil, err
}
return apiServerOperator.Status.Conditions, nil
},
AssertDBPopulatedFunc: func(t testing.TB, errorStore map[string]int, statStore map[string]int) {
tokenCount, ok := statStore[tokenStatsKey]
if !ok {
err := errors.New("missing oauth access tokens count stats, can't continue the test")
require.NoError(t, err)
}
if tokenCount < 14000 {
err := fmt.Errorf("expected to create at least 14000 tokens but %d were created", tokenCount)
require.NoError(t, err)
}
t.Logf("Created %d access tokens", tokenCount)
},
AssertMigrationTime: func(t testing.TB, migrationTime time.Duration) {
t.Logf("migration took %v", migrationTime)
expectedMigrationTime := 10 * time.Minute
if migrationTime > expectedMigrationTime {
t.Errorf("migration took too long (%v), expected it to take no more than %v", migrationTime, expectedMigrationTime)
}
},
DBLoaderWorkers: 3,
DBLoaderFunc: library.DBLoaderRepeat(1, false,
library.DBLoaderRepeatParallel(5010, 50, false, createAccessTokenWrapper(ctx, clientSet.TokenClient), reportSecret)),
EncryptionProvider: library.EncryptionProvider{
APIServerEncryption: configv1.APIServerEncryption{Type: configv1.EncryptionType("aescbc")},
},
})
}

func createAccessTokenWrapper(ctx context.Context, tokenClient oauthclient.OAuthAccessTokensGetter) library.DBLoaderFuncType {
return func(_ kubernetes.Interface, namespace string, errorCollector func(error), statsCollector func(string)) error {
_, tokenNameHash := operatorlibrary.GenerateOAuthTokenPair()
token := &oauthapiv1.OAuthAccessToken{
ObjectMeta: metav1.ObjectMeta{
Name: tokenNameHash,
},
RefreshToken: "I have no special talents. I am only passionately curious",
UserName: "kube:admin",
Scopes: []string{"user:full"},
RedirectURI: "redirect.me.to.token.of.life",
ClientName: "console",
UserUID: "non-existing-user-id",
}
_, err := tokenClient.OAuthAccessTokens().Create(ctx, token, metav1.CreateOptions{})
return err
}
}

func reportSecret(_ kubernetes.Interface, _ string, _ func(error), statsCollector func(string)) error {
statsCollector(tokenStatsKey)
return nil
}

func getPerfClients(t *testing.T) operatorencryption.ClientSet {
t.Helper()

kubeConfig := operatorlibrary.NewClientConfigForTest(t)

kubeConfig.QPS = 300
kubeConfig.Burst = 600

return operatorencryption.GetClientsFor(t, kubeConfig)
testPerfEncryptionTypeAESCBC(tt.Context(), tt)
}

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading