Skip to content

Commit ba9eebf

Browse files
committed
Add perf soc attack workflow
Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
1 parent 5fc4b57 commit ba9eebf

1 file changed

Lines changed: 157 additions & 0 deletions

File tree

Lines changed: 157 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,157 @@
1+
---
2+
name: perf-eval-soc-attack
3+
on:
4+
workflow_dispatch:
5+
inputs:
6+
ref:
7+
description: 'Branch or commit'
8+
required: false
9+
type: string
10+
tags:
11+
description: 'Tags (comma separated)'
12+
required: false
13+
type: string
14+
permissions:
15+
contents: read
16+
packages: write
17+
jobs:
18+
get-dev-image-with-extras:
19+
uses: ./.github/workflows/get_image.yaml
20+
with:
21+
image-base-name: "dev_image_with_extras"
22+
ref: ${{ inputs.ref }}
23+
24+
soc-attack-perf:
25+
name: Sovereign SOC redis-attack perf eval
26+
needs: get-dev-image-with-extras
27+
runs-on: oracle-vm-16cpu-64gb-x86-64
28+
container:
29+
image: ${{ needs.get-dev-image-with-extras.outputs.image-with-tag }}
30+
options: --cap-add=NET_ADMIN --device=/dev/net/tun
31+
steps:
32+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
33+
with:
34+
ref: ${{ inputs.ref }}
35+
fetch-depth: 0
36+
- name: Add pwd to git safe dir
37+
run: git config --global --add safe.directory `pwd`
38+
- id: get-commit-sha
39+
run: echo "commit-sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
40+
41+
# TODO(ddelnano): swap TAILSCALE_AUTH_KEY for an OAuth client once one is
42+
# provisioned in the k8sstormcenter tailnet. Use
43+
# `tailscale/github-action@v2` with `oauth-client-id` and `oauth-secret`
44+
# inputs (`TS_OAUTH_CLIENT_ID` / `TS_OAUTH_CLIENT_SECRET` secrets) so
45+
# credentials rotate automatically instead of expiring on a fixed cadence.
46+
- name: Start Tailscale sidecar
47+
env:
48+
TS_AUTHKEY: ${{ secrets.TAILSCALE_AUTH_KEY }}
49+
run: |
50+
curl -fsSL https://tailscale.com/install.sh | sh
51+
mkdir -p /var/run/tailscale /var/lib/tailscale
52+
tailscaled \
53+
--socket=/var/run/tailscale/tailscaled.sock \
54+
--state=/var/lib/tailscale/tailscaled.state &
55+
until tailscale status --json >/dev/null 2>&1; do sleep 1; done
56+
tailscale up \
57+
--authkey="${TS_AUTHKEY}" \
58+
--accept-routes \
59+
--hostname="pixie-perf-ci-${GITHUB_RUN_ID}"
60+
61+
- name: Write kubeconfig
62+
env:
63+
KUBECONFIG_B64: ${{ secrets.KUBECONFIG_B64 }}
64+
run: |
65+
mkdir -p "${RUNNER_TEMP}"
66+
echo "${KUBECONFIG_B64}" | base64 -d > "${RUNNER_TEMP}/kubeconfig"
67+
chmod 600 "${RUNNER_TEMP}/kubeconfig"
68+
69+
# Fail fast if Tailscale can't reach the cluster API, before the 2+ minute
70+
# bazel/skaffold build wastes time.
71+
- name: Tailscale connectivity probe
72+
env:
73+
KUBECONFIG: ${{ runner.temp }}/kubeconfig
74+
run: |
75+
tailscale status
76+
tailscale netcheck
77+
api_host="$(kubectl --kubeconfig="$KUBECONFIG" config view --minify -o jsonpath='{.clusters[0].cluster.server}' | sed -E 's|https?://||; s|/.*||')"
78+
api_ip="${api_host%%:*}"
79+
api_port="${api_host##*:}"
80+
echo "--- tailscale ping ${api_ip} ---"
81+
tailscale ping --c 3 --until-direct=false "${api_ip}" || true
82+
echo "--- tcp probe ${api_ip}:${api_port} ---"
83+
timeout 5 bash -c "</dev/tcp/${api_ip}/${api_port}" \
84+
&& echo "API port reachable" \
85+
|| { echo "API port UNREACHABLE"; exit 1; }
86+
echo "--- kubectl get nodes ---"
87+
kubectl --kubeconfig="$KUBECONFIG" get nodes
88+
89+
- name: Use github bazel config
90+
uses: ./.github/actions/bazelrc
91+
with:
92+
download_toplevel: 'true'
93+
BB_API_KEY: ${{ secrets.BB_IO_API_KEY }}
94+
95+
# TODO(ddelnano): revert to `./.github/actions/gcloud_creds` once GCP_SA_KEY
96+
# is re-uploaded with `base64 -w0`. The shared composite uses plain
97+
# `base64 --decode` which rejects the wrapped (multi-line/CRLF) value
98+
# currently stored in the secret.
99+
- id: gcloud-creds
100+
env:
101+
SERVICE_ACCOUNT_KEY: ${{ secrets.GCP_SA_KEY }}
102+
run: |
103+
printf '%s' "$SERVICE_ACCOUNT_KEY" | base64 -di > /tmp/gcloud.json
104+
chmod 600 /tmp/gcloud.json
105+
echo "gcloud-creds=/tmp/gcloud.json" >> $GITHUB_OUTPUT
106+
- name: Activate gcloud service account
107+
env:
108+
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
109+
run: |
110+
service_account="$(jq -r '.client_email' "$GOOGLE_APPLICATION_CREDENTIALS")"
111+
gcloud auth activate-service-account "${service_account}" --key-file="$GOOGLE_APPLICATION_CREDENTIALS"
112+
gcloud auth configure-docker
113+
114+
- name: Log in to GHCR
115+
env:
116+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
117+
run: echo "${GH_TOKEN}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
118+
119+
- name: Build and install px CLI
120+
run: |
121+
bazel build --config=x86_64_sysroot //src/pixie_cli:px
122+
install -m 0755 bazel-bin/src/pixie_cli/px_/px /usr/local/bin/px
123+
px version
124+
125+
# The sovereign-soc suite installs Kubescape + Vector on the experiment
126+
# cluster as part of the run (see KubescapeVectorWorkload). The
127+
# kubescape-operator chart is pre-rendered under
128+
# src/e2e_test/perf_tool/pkg/suites/k8s/sovereign-soc/helm-rendered/
129+
# and applied via PrerenderedDeploy, so no extra ./scripts step is needed.
130+
#
131+
# ClickHouse operator metrics are scraped on the forensic cluster via
132+
# the prom_recorder_override; the kubescape node-agent prom recorder
133+
# is intentionally NOT overridden — kubescape runs on the experiment
134+
# cluster (where redis+bobctl drive traffic), so the recorder uses the
135+
# default kubeconfig.
136+
- name: Run sovereign-soc redis-attack perf
137+
env:
138+
PX_API_KEY: ${{ secrets.PX_API_KEY }}
139+
GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.gcloud-creds.outputs.gcloud-creds }}
140+
KUBECONFIG: ${{ runner.temp }}/kubeconfig
141+
run: |
142+
bazel run //src/e2e_test/perf_tool:perf_tool -- run \
143+
--api_key="${PX_API_KEY}" \
144+
--cloud_addr=pixie.austrianopencloudcommunity.org:443 \
145+
--commit_sha="${{ steps.get-commit-sha.outputs.commit-sha }}" \
146+
--experiment_name=redis-attack \
147+
--suite=sovereign-soc \
148+
--use_local_cluster \
149+
--export_backend=parquet-gcs \
150+
--gcs_bucket=k8sstormcenter-soc-perf \
151+
--container_repo=ghcr.io/k8sstormcenter \
152+
--prom_recorder_override 'clickhouse-operator=:k8ss-forensic' \
153+
--tags "${{ inputs.tags }}"
154+
155+
- name: Tailscale logout
156+
if: always()
157+
run: tailscale logout || true

0 commit comments

Comments
 (0)