irbekrm/measure-issuance-time.sh

## measure-issuance-time.sh
#!/usr/bin/env bash

set -eu

# This script measures time taken to set up 10 self signed CA issuers and issue 50 certs for each

# Uncomment to patch cert-manager to add certificate owner refs to secrets for easier resource cleanup
# kubectl patch deployment cert-manager \
#   -ncert-manager \
#   --type='json' \
#   -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": --enable-certificate-owner-ref}]'

# Uncomment to patch cert-manager to enable profiling
# kubectl patch deployment cert-manager \
#   -ncert-manager \
#   --type='json' \
#   -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": --enable-profiling}]'


rm -rf performancetest
mkdir -p performancetest
openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout performancetest/rootCA.key -out performancetest/rootCA.crt -nodes -subj "/C=UK/CN=foo.com"

kubectl create ns performancetest
for i in {0..10}; do
  kubectl create -n performancetest secret tls "ca-${i}" \
    --cert=performancetest/rootCA.crt \
    --key=performancetest/rootCA.key
done

# for i in {0..10}; do
#   kubectl label -n performancetest secret "ca-${i}" \
#   cert-manager-secret="true"
# done

# Start counting time
start=$(date +"%s")
startTime=$(date +"%T")

# Create 10 CA issuers
for i in {0..10}; do
cat << EOF >> performancetest/ca-issuer-${i}.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-${i}
  namespace: performancetest
spec:
  ca:
    secretName: ca-${i}
EOF
done

# For each CA issuer, create 50 certs
for i in {0..10}; do
  for j in {0..50}; do
cat << EOF >> performancetest/cert-${i}-${j}.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-${i}-${j}
  namespace: performancetest
spec:
  secretName: cert-${i}-${j}
  dnsNames:
  - test-${i}-${j}.foo.com
  issuerRef:
    name: ca-${i}
EOF
  done
done

kubectl apply -f performancetest/

echo "Waiting for all certificates to become ready..."
for (( ;; )); do
	no_status=$(kubectl get cert -ojson -n performancetest | jq '[.items[] | select( .status == null )] | length')
	if [[ "$no_status" -gt 0 ]]; then
	  echo "${no_status} certificates don't have status applied yet, waiting..."
	  sleep 1
	  continue
	fi
	no_conditions=$(kubectl get cert -ojson -n performancetest | jq '[.items[].status | select( .conditions == null )] | length')
	if [[ "$no_conditions" -gt 0 ]]; then
	  echo "${no_conditions} certificates don't have conditions applied yet, waiting..."
	  sleep 1
	  continue
	fi
	# TODO wait for all certs to have a Ready condition
	length=$(kubectl get cert -ojson -n performancetest | jq '[.items[].status.conditions[] | select(.type=="Ready" and .status=="False")] | length')
	if [[ "$length" -eq 0 ]]; then
	  echo "all ready"
	  break
	fi
	echo "$length certs have a ready condition set to false"
	sleep 1

done

echo "Script started running at ${startTime}"

end=$(date +"%s")

echo "start: ${start} end: ${end}"

runtime=$((end-start))

echo "runtime is ${runtime} seconds"
	#!/usr/bin/env bash

	set -eu

	# This script measures time taken to set up 10 self signed CA issuers and issue 50 certs for each

	# Uncomment to patch cert-manager to add certificate owner refs to secrets for easier resource cleanup
	# kubectl patch deployment cert-manager \
	# -ncert-manager \
	# --type='json' \
	# -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": --enable-certificate-owner-ref}]'

	# Uncomment to patch cert-manager to enable profiling
	# kubectl patch deployment cert-manager \
	# -ncert-manager \
	# --type='json' \
	# -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": --enable-profiling}]'


	rm -rf performancetest
	mkdir -p performancetest
	openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout performancetest/rootCA.key -out performancetest/rootCA.crt -nodes -subj "/C=UK/CN=foo.com"

	kubectl create ns performancetest
	for i in {0..10}; do
	kubectl create -n performancetest secret tls "ca-${i}" \
	--cert=performancetest/rootCA.crt \
	--key=performancetest/rootCA.key
	done

	# for i in {0..10}; do
	# kubectl label -n performancetest secret "ca-${i}" \
	# cert-manager-secret="true"
	# done

	# Start counting time
	start=$(date +"%s")
	startTime=$(date +"%T")

	# Create 10 CA issuers
	for i in {0..10}; do
	cat << EOF >> performancetest/ca-issuer-${i}.yaml
	apiVersion: cert-manager.io/v1
	kind: Issuer
	metadata:
	name: ca-${i}
	namespace: performancetest
	spec:
	ca:
	secretName: ca-${i}
	EOF
	done

	# For each CA issuer, create 50 certs
	for i in {0..10}; do
	for j in {0..50}; do
	cat << EOF >> performancetest/cert-${i}-${j}.yaml
	apiVersion: cert-manager.io/v1
	kind: Certificate
	metadata:
	name: cert-${i}-${j}
	namespace: performancetest
	spec:
	secretName: cert-${i}-${j}
	dnsNames:
	- test-${i}-${j}.foo.com
	issuerRef:
	name: ca-${i}
	EOF
	done
	done

	kubectl apply -f performancetest/

	echo "Waiting for all certificates to become ready..."
	for (( ;; )); do
	no_status=$(kubectl get cert -ojson -n performancetest \| jq '[.items[] \| select( .status == null )] \| length')
	if [[ "$no_status" -gt 0 ]]; then
	echo "${no_status} certificates don't have status applied yet, waiting..."
	sleep 1
	continue
	fi
	no_conditions=$(kubectl get cert -ojson -n performancetest \| jq '[.items[].status \| select( .conditions == null )] \| length')
	if [[ "$no_conditions" -gt 0 ]]; then
	echo "${no_conditions} certificates don't have conditions applied yet, waiting..."
	sleep 1
	continue
	fi
	# TODO wait for all certs to have a Ready condition
	length=$(kubectl get cert -ojson -n performancetest \| jq '[.items[].status.conditions[] \| select(.type=="Ready" and .status=="False")] \| length')
	if [[ "$length" -eq 0 ]]; then
	echo "all ready"
	break
	fi
	echo "$length certs have a ready condition set to false"
	sleep 1

	done

	echo "Script started running at ${startTime}"

	end=$(date +"%s")

	echo "start: ${start} end: ${end}"

	runtime=$((end-start))

	echo "runtime is ${runtime} seconds"