|
| 1 | +--- |
| 2 | +name: perf-eval-soc-attack |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + inputs: |
| 6 | + ref: |
| 7 | + description: 'Branch or commit' |
| 8 | + required: false |
| 9 | + type: string |
| 10 | + tags: |
| 11 | + description: 'Tags (comma separated)' |
| 12 | + required: false |
| 13 | + type: string |
| 14 | +permissions: |
| 15 | + contents: read |
| 16 | + packages: write |
| 17 | +jobs: |
| 18 | + get-dev-image-with-extras: |
| 19 | + uses: ./.github/workflows/get_image.yaml |
| 20 | + with: |
| 21 | + image-base-name: "dev_image_with_extras" |
| 22 | + ref: ${{ inputs.ref }} |
| 23 | + |
| 24 | + soc-attack-perf: |
| 25 | + name: Sovereign SOC redis-attack perf eval |
| 26 | + needs: get-dev-image-with-extras |
| 27 | + runs-on: oracle-vm-16cpu-64gb-x86-64 |
| 28 | + container: |
| 29 | + image: ${{ needs.get-dev-image-with-extras.outputs.image-with-tag }} |
| 30 | + options: --cap-add=NET_ADMIN --device=/dev/net/tun |
| 31 | + steps: |
| 32 | + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
| 33 | + with: |
| 34 | + ref: ${{ inputs.ref }} |
| 35 | + fetch-depth: 0 |
| 36 | + - name: Add pwd to git safe dir |
| 37 | + run: git config --global --add safe.directory `pwd` |
| 38 | + - id: get-commit-sha |
| 39 | + run: echo "commit-sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT |
| 40 | + |
| 41 | + # TODO(ddelnano): swap TAILSCALE_AUTH_KEY for an OAuth client once one is |
| 42 | + # provisioned in the k8sstormcenter tailnet. Use |
| 43 | + # `tailscale/github-action@v2` with `oauth-client-id` and `oauth-secret` |
| 44 | + # inputs (`TS_OAUTH_CLIENT_ID` / `TS_OAUTH_CLIENT_SECRET` secrets) so |
| 45 | + # credentials rotate automatically instead of expiring on a fixed cadence. |
| 46 | + - name: Start Tailscale sidecar |
| 47 | + env: |
| 48 | + TS_AUTHKEY: ${{ secrets.TAILSCALE_AUTH_KEY }} |
| 49 | + run: | |
| 50 | + curl -fsSL https://tailscale.com/install.sh | sh |
| 51 | + mkdir -p /var/run/tailscale /var/lib/tailscale |
| 52 | + tailscaled \ |
| 53 | + --socket=/var/run/tailscale/tailscaled.sock \ |
| 54 | + --state=/var/lib/tailscale/tailscaled.state & |
| 55 | + until tailscale status --json >/dev/null 2>&1; do sleep 1; done |
| 56 | + tailscale up \ |
| 57 | + --authkey="${TS_AUTHKEY}" \ |
| 58 | + --accept-routes \ |
| 59 | + --hostname="pixie-perf-ci-${GITHUB_RUN_ID}" |
| 60 | +
|
| 61 | + - name: Write kubeconfig |
| 62 | + env: |
| 63 | + KUBECONFIG_B64: ${{ secrets.KUBECONFIG_B64 }} |
| 64 | + run: | |
| 65 | + mkdir -p "${RUNNER_TEMP}" |
| 66 | + echo "${KUBECONFIG_B64}" | base64 -d > "${RUNNER_TEMP}/kubeconfig" |
| 67 | + chmod 600 "${RUNNER_TEMP}/kubeconfig" |
| 68 | +
|
| 69 | + # Fail fast if Tailscale can't reach the cluster API, before the 2+ minute |
| 70 | + # bazel/skaffold build wastes time. |
| 71 | + - name: Tailscale connectivity probe |
| 72 | + env: |
| 73 | + KUBECONFIG: ${{ runner.temp }}/kubeconfig |
| 74 | + run: | |
| 75 | + tailscale status |
| 76 | + tailscale netcheck |
| 77 | + api_host="$(kubectl --kubeconfig="$KUBECONFIG" config view --minify -o jsonpath='{.clusters[0].cluster.server}' | sed -E 's|https?://||; s|/.*||')" |
| 78 | + api_ip="${api_host%%:*}" |
| 79 | + api_port="${api_host##*:}" |
| 80 | + echo "--- tailscale ping ${api_ip} ---" |
| 81 | + tailscale ping --c 3 --until-direct=false "${api_ip}" || true |
| 82 | + echo "--- tcp probe ${api_ip}:${api_port} ---" |
| 83 | + timeout 5 bash -c "</dev/tcp/${api_ip}/${api_port}" \ |
| 84 | + && echo "API port reachable" \ |
| 85 | + || { echo "API port UNREACHABLE"; exit 1; } |
| 86 | + echo "--- kubectl get nodes ---" |
| 87 | + kubectl --kubeconfig="$KUBECONFIG" get nodes |
| 88 | +
|
| 89 | + - name: Use github bazel config |
| 90 | + uses: ./.github/actions/bazelrc |
| 91 | + with: |
| 92 | + download_toplevel: 'true' |
| 93 | + BB_API_KEY: ${{ secrets.BB_IO_API_KEY }} |
| 94 | + |
| 95 | + # TODO(ddelnano): revert to `./.github/actions/gcloud_creds` once GCP_SA_KEY |
| 96 | + # is re-uploaded with `base64 -w0`. The shared composite uses plain |
| 97 | + # `base64 --decode` which rejects the wrapped (multi-line/CRLF) value |
| 98 | + # currently stored in the secret. |
| 99 | + - id: gcloud-creds |
| 100 | + env: |
| 101 | + SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SA_KEY }} |
| 102 | + run: | |
| 103 | + printf '%s' "$SERVICE_ACCOUNT_KEY" | base64 -di > /tmp/gcloud.json |
| 104 | + chmod 600 /tmp/gcloud.json |
| 105 | + echo "gcloud-creds=/tmp/gcloud.json" >> $GITHUB_OUTPUT |
| 106 | + - name: Activate gcloud service account |
| 107 | + env: |
| 108 | + GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} |
| 109 | + run: | |
| 110 | + service_account="$(jq -r '.client_email' "$GOOGLE_APPLICATION_CREDENTIALS")" |
| 111 | + gcloud auth activate-service-account "${service_account}" --key-file="$GOOGLE_APPLICATION_CREDENTIALS" |
| 112 | + gcloud auth configure-docker |
| 113 | +
|
| 114 | + - name: Log in to GHCR |
| 115 | + env: |
| 116 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 117 | + run: echo "${GH_TOKEN}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin |
| 118 | + |
| 119 | + - name: Build and install px CLI |
| 120 | + run: | |
| 121 | + bazel build --config=x86_64_sysroot //src/pixie_cli:px |
| 122 | + install -m 0755 bazel-bin/src/pixie_cli/px_/px /usr/local/bin/px |
| 123 | + px version |
| 124 | +
|
| 125 | + # The sovereign-soc suite installs Kubescape + Vector on the experiment |
| 126 | + # cluster as part of the run (see KubescapeVectorWorkload). The |
| 127 | + # kubescape-operator chart is pre-rendered under |
| 128 | + # src/e2e_test/perf_tool/pkg/suites/k8s/sovereign-soc/helm-rendered/ |
| 129 | + # and applied via PrerenderedDeploy, so no extra ./scripts step is needed. |
| 130 | + # |
| 131 | + # ClickHouse operator metrics are scraped on the forensic cluster via |
| 132 | + # the prom_recorder_override; the kubescape node-agent prom recorder |
| 133 | + # is intentionally NOT overridden — kubescape runs on the experiment |
| 134 | + # cluster (where redis+bobctl drive traffic), so the recorder uses the |
| 135 | + # default kubeconfig. |
| 136 | + - name: Run sovereign-soc redis-attack perf |
| 137 | + env: |
| 138 | + PX_API_KEY: ${{ secrets.PX_API_KEY }} |
| 139 | + GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }} |
| 140 | + KUBECONFIG: ${{ runner.temp }}/kubeconfig |
| 141 | + run: | |
| 142 | + bazel run //src/e2e_test/perf_tool:perf_tool -- run \ |
| 143 | + --api_key="${PX_API_KEY}" \ |
| 144 | + --cloud_addr=pixie.austrianopencloudcommunity.org:443 \ |
| 145 | + --commit_sha="${{ steps.get-commit-sha.outputs.commit-sha }}" \ |
| 146 | + --experiment_name=redis-attack \ |
| 147 | + --suite=sovereign-soc \ |
| 148 | + --use_local_cluster \ |
| 149 | + --export_backend=parquet-gcs \ |
| 150 | + --gcs_bucket=k8sstormcenter-soc-perf \ |
| 151 | + --container_repo=ghcr.io/k8sstormcenter \ |
| 152 | + --prom_recorder_override 'clickhouse-operator=:k8ss-forensic' \ |
| 153 | + --tags "${{ inputs.tags }}" |
| 154 | +
|
| 155 | + - name: Tailscale logout |
| 156 | + if: always() |
| 157 | + run: tailscale logout || true |
0 commit comments