test : create large ca-bundle configmap in che installation namespace before running load tests

rohanKanojia · rohanKanojia · commit ea6fb5512acc · 2025-12-17T16:57:12.000+05:30
Signed-off-by: Rohan Kumar &lt;rohaan@redhat.com&gt;
diff --git a/test/load/provision-che-large-cert-bundle.sh b/test/load/provision-che-large-cert-bundle.sh
@@ -0,0 +1,168 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# -------------------------------------------------------------------
+# Configuration
+# -------------------------------------------------------------------
+CHE_NAMESPACE="eclipse-che"
+DW_NAMESPACE="kubeadmin-che"
+DW_NAME="code-latest"
+
+CERT_COUNT=500                 
+BUNDLE_FILE="custom-ca-certificates.pem"
+
+# -------------------------------------------------------------------
+# Logging helpers
+# -------------------------------------------------------------------
+log_info()    { echo -e "ℹ️  $*"; }
+log_success() { echo -e "✅ $*"; }
+log_error()   { echo -e "❌ $*" >&2; }
+
+# -------------------------------------------------------------------
+# Preconditions
+# -------------------------------------------------------------------
+log_info "Checking namespaces..."
+kubectl get ns "${CHE_NAMESPACE}" >/dev/null
+kubectl get ns "${DW_NAMESPACE}" >/dev/null
+
+# -------------------------------------------------------------------
+# Generate dummy certificates (~1MB bundle)
+# -------------------------------------------------------------------
+log_info "Generating ${CERT_COUNT} dummy CA certificates..."
+rm -f "${BUNDLE_FILE}"
+
+for i in $(seq 1 "${CERT_COUNT}"); do
+  openssl req -x509 -newkey rsa:2048 -nodes -days 1 \
+    -subj "/CN=dummy-ca-${i}" \
+    -keyout "dummy-ca-${i}.key" \
+    -out "dummy-ca-${i}.pem" \
+    >/dev/null 2>&1
+
+  cat "dummy-ca-${i}.pem" >> "${BUNDLE_FILE}"
+done
+
+BUNDLE_SIZE=$(stat -c%s "${BUNDLE_FILE}")
+log_success "Created CA bundle: $(du -h ${BUNDLE_FILE} | cut -f1)"
+
+# -------------------------------------------------------------------
+# Create / update Che CA bundle ConfigMap
+# -------------------------------------------------------------------
+log_info "Creating Che CA bundle ConfigMap..."
+
+kubectl create configmap custom-ca-certificates \
+  --from-file=custom-ca-certificates.pem="${BUNDLE_FILE}" \
+  -n "${CHE_NAMESPACE}" \
+  --dry-run=client -o yaml \
+| kubectl apply --server-side -f -
+
+
+kubectl label configmap custom-ca-certificates \
+  app.kubernetes.io/component=ca-bundle \
+  app.kubernetes.io/part-of=che.eclipse.org \
+  -n "${CHE_NAMESPACE}" \
+  --overwrite
+
+# -------------------------------------------------------------------
+# Configure CheCluster (disable /etc/pki mount)
+# -------------------------------------------------------------------
+log_info "Configuring CheCluster..."
+
+CHECLUSTER_NAME=$(kubectl get checluster -n "${CHE_NAMESPACE}" -o jsonpath='{.items[0].metadata.name}')
+
+kubectl patch checluster "${CHECLUSTER_NAME}" \
+  -n "${CHE_NAMESPACE}" \
+  --type=merge \
+  -p '{
+    "spec": {
+      "devEnvironments": {
+        "trustedCerts": {
+          "disableWorkspaceCaBundleMount": true
+        }
+      }
+    }
+  }'
+
+# -------------------------------------------------------------------
+# Restart Che to apply configuration
+# -------------------------------------------------------------------
+log_info "Restarting Che..."
+kubectl rollout status deploy/che -n "${CHE_NAMESPACE}" --timeout=5m
+kubectl wait pod -n "${CHE_NAMESPACE}" -l app=che --for=condition=Ready --timeout=5m
+
+log_success "Che restarted with updated CA settings"
+
+# -------------------------------------------------------------------
+# Create DevWorkspace
+# -------------------------------------------------------------------
+log_info "Creating DevWorkspace '${DW_NAME}'..."
+curl -sL https://gist.githubusercontent.com/rohanKanojia/f755717e3fac6a1f45921c3c2883c6d2/raw/1a256c6f7b9d6dcd8650135ecc492d9f08010a80/che-owned-code-latest.yaml \
+  | sed "s/name: code-latest/name: ${DW_NAME}/" \
+  | kubectl apply -n "${DW_NAMESPACE}" -f -
+
+# -------------------------------------------------------------------
+# Wait for DevWorkspace
+# -------------------------------------------------------------------
+log_info "Waiting for DevWorkspace to be Ready..."
+kubectl wait devworkspace/"${DW_NAME}" \
+  -n "${DW_NAMESPACE}" \
+  --for=condition=Ready \
+  --timeout=5m
+
+# -------------------------------------------------------------------
+# Wait for workspace pod
+# -------------------------------------------------------------------
+log_info "Waiting for workspace pod..."
+kubectl wait pod \
+  -n "${DW_NAMESPACE}" \
+  -l controller.devfile.io/devworkspace_name="${DW_NAME}" \
+  --for=condition=Ready \
+  --timeout=5m
+
+POD_NAME=$(kubectl get pod \
+  -n "${DW_NAMESPACE}" \
+  -l controller.devfile.io/devworkspace_name="${DW_NAME}" \
+  -o jsonpath='{.items[0].metadata.name}')
+
+log_success "Workspace pod '${POD_NAME}' is Ready"
+
+# -------------------------------------------------------------------
+# Verify CA bundle certificate count
+# -------------------------------------------------------------------
+log_info "Verifying CA bundle certificate count inside workspace..."
+
+CERT_PATH_PUBLIC="/public-certs/tls-ca-bundle.pem"
+
+if ! kubectl exec "${POD_NAME}" -n "${DW_NAMESPACE}" -- test -f "${CERT_PATH_PUBLIC}"; then
+  log_error "CA bundle not found at ${CERT_PATH_PUBLIC}"
+  exit 1
+fi
+
+MOUNTED_CERT_COUNT=$(kubectl exec "${POD_NAME}" -n "${DW_NAMESPACE}" -- \
+  sh -c "grep -c 'BEGIN CERTIFICATE' ${CERT_PATH_PUBLIC}")
+
+log_info "Generated certificates : ${CERT_COUNT}"
+log_info "Mounted certificates   : ${MOUNTED_CERT_COUNT}"
+
+if [ "${MOUNTED_CERT_COUNT}" -gt "${CERT_COUNT}" ]; then
+  log_success "Mounted certificate count is greater than generated count ✅"
+else
+  log_error "Mounted certificate count is NOT greater than generated count ❌"
+  exit 1
+fi
+
+
+# -------------------------------------------------------------------
+# Debug: mounted volumes
+# -------------------------------------------------------------------
+log_info "Mounted volumes:"
+kubectl get pod "${POD_NAME}" \
+  -n "${DW_NAMESPACE}" \
+  -o jsonpath='{.spec.volumes[*].name}'
+
+# -------------------------------------------------------------------
+# Done
+# -------------------------------------------------------------------
+kubectl delete dw ${DW_NAME} ${DW_NAMESPACE}
+rm *.pem
+rm *.key
+log_success "END-TO-END verification complete (1MB CA bundle) 🎉"
diff --git a/test/load/provision-che-workspace-namespace.sh b/test/load/provision-che-workspace-namespace.sh
@@ -0,0 +1,71 @@
+provision_che_workspace_namespace() {
+  local LOAD_TEST_NAMESPACE="$1"
+
+  ########################################
+  # Config (override via env if needed)
+  ########################################
+  local CHE_NAMESPACE="${CHE_NAMESPACE:-che}"
+  local CHE_CLUSTER_NAME="${CHE_CLUSTER_NAME:-che}"
+
+  ########################################
+  # Validation
+  ########################################
+  if [[ -z "${LOAD_TEST_NAMESPACE}" ]]; then
+    echo "ERROR: LOAD_TEST_NAMESPACE argument is required"
+    echo "Usage: provision_che_workspace_namespace <namespace>"
+    return 1
+  fi
+
+  if ! command -v oc >/dev/null 2>&1; then
+    echo "ERROR: oc CLI not found"
+    return 1
+  fi
+
+  ########################################
+  # Get OpenShift username
+  ########################################
+  local USERNAME
+  USERNAME="$(oc whoami)"
+
+  echo "Provisioning Che workspace namespace"
+  echo "  User      : ${USERNAME}"
+  echo "  Namespace : ${LOAD_TEST_NAMESPACE}"
+
+  ########################################
+  # Disable auto-provisioning (idempotent)
+  ########################################
+  oc patch checluster "${CHE_CLUSTER_NAME}" \
+    -n "${CHE_NAMESPACE}" \
+    --type=merge \
+    -p '{
+      "spec": {
+        "devEnvironments": {
+          "defaultNamespace": {
+            "autoProvision": false
+          }
+        }
+      }
+    }' >/dev/null
+
+  ########################################
+  # Create namespace with labels/annotations
+  ########################################
+  cat <<EOF | oc apply -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ${LOAD_TEST_NAMESPACE}
+  labels:
+    app.kubernetes.io/part-of: che.eclipse.org
+    app.kubernetes.io/component: workspaces-namespace
+  annotations:
+    che.eclipse.org/username: ${USERNAME}
+EOF
+
+  ########################################
+  # Verification (best-effort)
+  ########################################
+  oc get namespace "${LOAD_TEST_NAMESPACE}" >/dev/null
+
+  echo "✔ Namespace '${LOAD_TEST_NAMESPACE}' provisioned for user '${USERNAME}'"
+}
diff --git a/test/load/runk6.sh b/test/load/runk6.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
-#!/bin/bash
+source ./provision_che_workspace_namespace.sh
+
 
 MODE="binary"  # or 'operator'
 LOAD_TEST_NAMESPACE="loadtest-devworkspaces"
@@ -19,6 +20,7 @@ SEPARATE_NAMESPACES="false"
 DELETE_DEVWORKSPACE_AFTER_READY="true"
 MAX_DEVWORKSPACES="-1"
 CREATE_AUTOMOUNT_RESOURCES="false"
+RUN_WITH_ECLIPSE_CHE="false"
 LOGS_DIR="logs"
 TEST_DURATION_IN_MINUTES="25"
 MIN_KUBECTL_VERSION="1.24.0"
@@ -29,7 +31,12 @@ MIN_K6_VERSION="1.1.0"
 main() {
   parse_arguments "$@"
   check_prerequisites
-  create_namespace
+  if [[ "$RUN_WITH_ECLIPSE_CHE" == "false" ]]; then
+    create_namespace
+  else
+    provision_che_workspace_namespace "$LOAD_TEST_NAMESPACE"
+    source ./provision-che-large-cert-bundle.sh
+  fi
   create_rbac
   start_background_watchers
 
@@ -97,6 +104,8 @@ parse_arguments() {
         LOGS_DIR="$2"; shift 2;;
       --test-duration-minutes)
         TEST_DURATION_IN_MINUTES="$2"; shift 2;;
+      --run-with-eclipse-che)
+        RUN_WITH_ECLIPSE_CHE="$2"; shift 2;;
       -h|--help)
         print_help; exit 0;;
       *)
