Update loadtest infra with changes from v15 testing (#38173)

* Update loadtest infra with changes from v15 testing

- Uses the distroless-debug images
- Adds firestore support
- Updates images to v15.0.0

* fix: rename method ConfigOverride to match interface

assets/loadtest/azure/teleport_kube.tf

@@ -35,6 +35,8 @@ resource "helm_release" "teleport" {
       "level"  = "DEBUG"
     }
     "extraArgs" = ["--debug"]
+    "image" = "public.ecr.aws/gravitational/teleport-distroless-debug"
+    "enterpriseImage" = "public.ecr.aws/gravitational/teleport-ent-distroless-debug"
 
     "proxyListenerMode" = "multiplex"
 

assets/loadtest/azure/terraform.tfvars

@@ -13,5 +13,5 @@ cluster_prefix = "loadtest"
 dns_zone    = "az.teleportdemo.net"
 dns_zone_rg = "teleportdemo-dns"
 
-teleport_version = "14.0.0"
+teleport_version = "15.0.0"
 deploy_teleport  = true

assets/loadtest/cluster/aws/cluster.yaml

@@ -3,7 +3,7 @@ kind: ClusterConfig
 metadata:
   name:
   region:
-  version: "1.27"
+  version: "1.29"
 
 iam:
   withOIDC: true

assets/loadtest/cluster/gcp/main.tf

@@ -9,11 +9,6 @@ terraform {
 }
 
 
-data "google_compute_network" "default" {
-  name = var.network
-}
-
-
 #trivy:ignore:AVD-GCP-0047
 #trivy:ignore:AVD-GCP-0049
 #trivy:ignore:AVD-GCP-0051

assets/loadtest/control-plane/apply.sh

@@ -17,6 +17,8 @@ case "$TELEPORT_BACKEND" in
         ;;
     etcd)
         ;;
+    firestore)
+        ;;
     *)
         echo "invalid teleport backend '$TELEPORT_BACKEND', expected one of 'dynamo' or 'etcd'" >&2
         exit 1
@@ -39,9 +41,11 @@ log_info "installing monitoring stack..."
 
 ./monitoring/install-monitoring.sh
 
-log_info "setting up cert-manager..."
+if [[ "$TELEPORT_BACKEND" != "firestore" ]]; then
+  log_info "setting up cert-manager..."
 
-./dns/init-cert-manager.sh
+  ./dns/init-cert-manager.sh
+fi
 
 case "$TELEPORT_BACKEND" in
     dynamo)
@@ -55,6 +59,15 @@ case "$TELEPORT_BACKEND" in
         log_info "generating helm values for etcd-backed control plane..."
         ./teleport/gen-etcd-teleport.sh
         ;;
+    firestore)
+        log_info "generating helm values for firestore-backed control plane..."
+
+        kubectl create namespace teleport
+        kubectl label namespace teleport 'pod-security.kubernetes.io/enforce=baseline'
+        kubectl --namespace teleport create secret generic teleport-gcp-credentials --from-file=gcp-credentials.json="$GCP_CREDENTIALS"
+
+        ./teleport/gen-firestore-teleport.sh
+        ;;
     *)
         echo "invalid teleport backend '$TELEPORT_BACKEND', expected one of 'dynamo' or 'etcd'" >&2
         exit 1
@@ -69,9 +82,11 @@ log_info "waiting for auths to report ready..."
 
 ./teleport/wait.sh auth
 
-log_info "setting up dns record..."
+if [[ "$TELEPORT_BACKEND" != "firestore" ]]; then
+  log_info "setting up dns record..."
 
-./dns/update-record.sh UPSERT # CREATE|UPSERT|DELETE
+  ./dns/update-record.sh UPSERT # CREATE|UPSERT|DELETE
+fi
 
 log_info "waiting for proxies to report ready..."
 

assets/loadtest/control-plane/dns/init-cert-manager.sh

@@ -26,7 +26,7 @@ spec:
           - ${ROUTE53_ZONE}
       dns01:
         route53:
-          region: ${AWS_REGION}
+          region: ${REGION}
           hostedZoneID: ${ROUTE53_ZONE_ID}
 EOF
 

assets/loadtest/control-plane/dns/update-record.sh

@@ -24,7 +24,7 @@ NAMESPACE='teleport'
 RELEASE_NAME='teleport'
 MYZONE_DNS="${ROUTE53_ZONE}"
 MYDNS="${CLUSTER_NAME}.${ROUTE53_ZONE}"
-MY_CLUSTER_REGION="${AWS_REGION}"
+MY_CLUSTER_REGION="${REGION}"
 MYZONE="$(aws route53 list-hosted-zones-by-name --dns-name="${MYZONE_DNS?}" | jq -r '.HostedZones[0].Id' | sed s_/hostedzone/__)"
 MYELB="$(kubectl --namespace "${NAMESPACE?}" get "service/${RELEASE_NAME?}" -o jsonpath='{.status.loadBalancer.ingress[*].hostname}')"
 MYELB_NAME="${MYELB%%-*}"

assets/loadtest/control-plane/example-vars.env

@@ -26,7 +26,7 @@ ACCOUNT_ID="0123456789"
 GRAFANA_PASS="insecure"
 
 # sets the version of teleport to install
-TELEPORT_VERSION="14.0.0-alpha.2"
+TELEPORT_VERSION="15.0.0"
 
 # aws region to use for resources
-AWS_REGION="$(aws configure get region)"
+REGION="$(aws configure get region)"

assets/loadtest/control-plane/policies/attach-policies.sh

@@ -16,6 +16,10 @@ esac
 
 source vars.env
 
+if [[ "$TELEPORT_BACKEND" == "firestore" ]]; then
+  exit 0
+fi
+
 dynamo_policy_arn="arn:aws:iam::${ACCOUNT_ID}:policy/${CLUSTER_NAME}-dynamo"
 
 s3_policy_arn="arn:aws:iam::${ACCOUNT_ID}:policy/${CLUSTER_NAME}-s3"

assets/loadtest/control-plane/policies/create-policies.sh

@@ -4,6 +4,10 @@ set -euo pipefail
 
 source vars.env
 
+if [[ "$TELEPORT_BACKEND" == "firestore" ]]; then
+  exit 0
+fi
+
 dynamo_policy="$STATE_DIR/dynamo-iam-policy"
 
 s3_policy="$STATE_DIR/s3-iam-policy"

assets/loadtest/control-plane/policies/gen-policies.sh

@@ -38,8 +38,8 @@ cat > "$dynamo_policy" <<EOF
                 "dynamodb:UpdateContinuousBackups"
             ],
             "Resource": [
-                "arn:aws:dynamodb:${AWS_REGION}:${ACCOUNT_ID}:table/${CLUSTER_NAME}-backend",
-                "arn:aws:dynamodb:${AWS_REGION}:${ACCOUNT_ID}:table/${CLUSTER_NAME}-backend/stream/*"
+                "arn:aws:dynamodb:${REGION}:${ACCOUNT_ID}:table/${CLUSTER_NAME}-backend",
+                "arn:aws:dynamodb:${REGION}:${ACCOUNT_ID}:table/${CLUSTER_NAME}-backend/stream/*"
             ]
         },
         {
@@ -62,8 +62,8 @@ cat > "$dynamo_policy" <<EOF
                 "dynamodb:UpdateContinuousBackups"
             ],
             "Resource": [
-                "arn:aws:dynamodb:${AWS_REGION}:${ACCOUNT_ID}:table/${CLUSTER_NAME}-events",
-                "arn:aws:dynamodb:${AWS_REGION}:${ACCOUNT_ID}:table/${CLUSTER_NAME}-events/index/*"
+                "arn:aws:dynamodb:${REGION}:${ACCOUNT_ID}:table/${CLUSTER_NAME}-events",
+                "arn:aws:dynamodb:${REGION}:${ACCOUNT_ID}:table/${CLUSTER_NAME}-events/index/*"
             ]
         }
     ]

assets/loadtest/control-plane/teleport/gen-dynamo-teleport.sh

@@ -14,7 +14,7 @@ clusterName: ${CLUSTER_NAME}.${ROUTE53_ZONE}      # Name of your cluster. Use th
 teleportVersionOverride: ${TELEPORT_VERSION}
 proxyListenerMode: "multiplex"
 aws:
-  region: ${AWS_REGION}                           # AWS region
+  region: ${REGION}                           # AWS region
   backendTable: ${CLUSTER_NAME}-backend           # DynamoDB table to use for the Teleport backend
   auditLogTable: ${CLUSTER_NAME}-events           # DynamoDB table to use for the Teleport audit log (must be different to the backend table)
   auditLogMirrorOnStdout: false                   # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)

assets/loadtest/control-plane/teleport/gen-etcd-teleport.sh

@@ -14,6 +14,8 @@ clusterName: ${CLUSTER_NAME}.${ROUTE53_ZONE}      # Name of your cluster. Use th
 teleportVersionOverride: ${TELEPORT_VERSION}
 
 extraArgs: ['--debug']
+image: "public.ecr.aws/gravitational/teleport-distroless-debug"
+enterpriseImage: "public.ecr.aws/gravitational/teleport-ent-distroless-debug"
 
 persistence:
     enabled: false

assets/loadtest/control-plane/teleport/gen-firestore-teleport.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -euo pipefail
+
+source vars.env
+
+values_yaml="$STATE_DIR/teleport-values.yaml"
+
+mkdir -p "$STATE_DIR"
+
+cat > "$values_yaml" <<EOF
+chartMode: gcp
+clusterName: ${CLUSTER_NAME}.${ROUTE53_ZONE}      # Name of your cluster. Use the FQDN you intend to configure in DNS below.
+teleportVersionOverride: ${TELEPORT_VERSION}
+proxyListenerMode: "multiplex"
+gcp:
+  projectId: ${GCP_PROJECT}
+  region: ${REGION}                           # AWS region
+  backendTable: ${CLUSTER_NAME}-backend           # Firestore table to use for the Teleport backend
+  auditLogTable: ${CLUSTER_NAME}-events           # Firestore table to use for the Teleport audit log (must be different to the backend table)
+  auditLogMirrorOnStdout: false                   # Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
+  sessionRecordingBucket: ${FIRESTORE_SESSION_BUCKET}       # Storage bucket to use for Teleport session recordings
+  backups: true                                   # Whether or not to turn on DynamoDB backups
+  dynamoAutoScaling: false                        # Whether Teleport should configure DynamoDB's autoscaling.
+highAvailability:
+  replicaCount: 2                                 # Number of replicas to configure
+  certManager:
+    enabled: false                                # No certManager because we only run simulated load tests and don't need to connect any agents
+# If you are running Kubernetes 1.23 or above, disable PodSecurityPolicies
+podSecurityPolicy:
+  enabled: false
+podMonitor:
+  enabled: true
+extraArgs:
+  - --debug
+image: "public.ecr.aws/gravitational/teleport-distroless-debug"
+enterpriseImage: "public.ecr.aws/gravitational/teleport-ent-distroless-debug"
+auth:
+  teleportConfig:
+    kubernetes_service:
+      enabled: false
+EOF

assets/loadtest/helm/node-agent/Chart.yaml

@@ -6,4 +6,4 @@ type: application
 
 version: 0.1.0
 
-appVersion: "14.0.0-alpha.2"
+appVersion: "15.0.0"

assets/loadtest/helm/node-agent/values.yaml

@@ -6,7 +6,7 @@ authServer: ""
 minReadySeconds: 0
 
 image:
-  repository: public.ecr.aws/gravitational/teleport
+  repository: public.ecr.aws/gravitational/teleport-ent-distroless-debug
   pullPolicy: IfNotPresent
   tag: ""
 

assets/loadtest/helm/soaktest/Chart.yaml

@@ -6,4 +6,4 @@ type: application
 
 version: 0.1.0
 
-appVersion: "14.0.0-alpha.2"
+appVersion: "15.0.0"

assets/loadtest/helm/soaktest/values.yaml

@@ -1,5 +1,5 @@
 image:
-  repository: public.ecr.aws/gravitational/teleport
+  repository: public.ecr.aws/gravitational/teleport-ent-distroless-debug
   pullPolicy: IfNotPresent
   tag: ""
 

assets/loadtest/helm/trusted-cluster/Chart.yaml

@@ -6,4 +6,4 @@ type: application
 
 version: 0.1.0
 
-appVersion: "14.0.0-alpha.2"
+appVersion: "15.0.0"

assets/loadtest/helm/trusted-cluster/values.yaml

@@ -1,7 +1,7 @@
 replicaCount: 1
 
 image:
-  repository: public.ecr.aws/gravitational/teleport-distroless
+  repository: public.ecr.aws/gravitational/teleport-ent-distroless-debug
   pullPolicy: IfNotPresent
   tag: ""
 

assets/loadtest/helm/values/node-agents.yaml

@@ -4,7 +4,7 @@ agentsPerPod: 15
 minReadySeconds: 30
 
 image:
-  tag: 14.0.0-alpha.2
+  tag: 15.0.0
 
 joinParams:
   method: token

assets/loadtest/helm/values/teleport.yaml

@@ -26,7 +26,7 @@ podMonitor:
   enabled: true
   interval: ""
 
-teleportVersionOverride: 13.0.0-alpha.1
+teleportVersionOverride: 15.0.0
 
 auth:
   teleportConfig:

lib/benchmark/web.go

@@ -263,7 +263,7 @@ type WebSessionBenchmark struct {
 	servers []types.Server
 }
 
-func (s *WebSessionBenchmark) Config(ctx context.Context, tc *client.TeleportClient, cfg *Config) error {
+func (s *WebSessionBenchmark) ConfigOverride(ctx context.Context, tc *client.TeleportClient, cfg *Config) error {
 	servers, err := getServers(ctx, tc)
 	if err != nil {
 		return trace.Wrap(err)