Last active
January 3, 2023 18:43
-
-
Save irbekrm/bc56a917a164b1a3a097bda483def0b8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -eu | |
# This script measures time taken to set up 10 self signed CA issuers and issue 50 certs for each | |
# Uncomment to patch cert-manager to add certificate owner refs to secrets for easier resource cleanup | |
# kubectl patch deployment cert-manager \ | |
# -ncert-manager \ | |
# --type='json' \ | |
# -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": --enable-certificate-owner-ref}]' | |
# Uncomment to patch cert-manager to enable profiling | |
# kubectl patch deployment cert-manager \ | |
# -ncert-manager \ | |
# --type='json' \ | |
# -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": --enable-profiling}]' | |
rm -rf performancetest | |
mkdir -p performancetest | |
openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout performancetest/rootCA.key -out performancetest/rootCA.crt -nodes -subj "/C=UK/CN=foo.com" | |
kubectl create ns performancetest | |
for i in {0..10}; do | |
kubectl create -n performancetest secret tls "ca-${i}" \ | |
--cert=performancetest/rootCA.crt \ | |
--key=performancetest/rootCA.key | |
done | |
# for i in {0..10}; do | |
# kubectl label -n performancetest secret "ca-${i}" \ | |
# cert-manager-secret="true" | |
# done | |
# Start counting time | |
start=$(date +"%s") | |
startTime=$(date +"%T") | |
# Create 10 CA issuers | |
for i in {0..10}; do | |
cat << EOF >> performancetest/ca-issuer-${i}.yaml | |
apiVersion: cert-manager.io/v1 | |
kind: Issuer | |
metadata: | |
name: ca-${i} | |
namespace: performancetest | |
spec: | |
ca: | |
secretName: ca-${i} | |
EOF | |
done | |
# For each CA issuer, create 50 certs | |
for i in {0..10}; do | |
for j in {0..50}; do | |
cat << EOF >> performancetest/cert-${i}-${j}.yaml | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: cert-${i}-${j} | |
namespace: performancetest | |
spec: | |
secretName: cert-${i}-${j} | |
dnsNames: | |
- test-${i}-${j}.foo.com | |
issuerRef: | |
name: ca-${i} | |
EOF | |
done | |
done | |
kubectl apply -f performancetest/ | |
echo "Waiting for all certificates to become ready..." | |
for (( ;; )); do | |
no_status=$(kubectl get cert -ojson -n performancetest | jq '[.items[] | select( .status == null )] | length') | |
if [[ "$no_status" -gt 0 ]]; then | |
echo "${no_status} certificates don't have status applied yet, waiting..." | |
sleep 1 | |
continue | |
fi | |
no_conditions=$(kubectl get cert -ojson -n performancetest | jq '[.items[].status | select( .conditions == null )] | length') | |
if [[ "$no_conditions" -gt 0 ]]; then | |
echo "${no_conditions} certificates don't have conditions applied yet, waiting..." | |
sleep 1 | |
continue | |
fi | |
# TODO wait for all certs to have a Ready condition | |
length=$(kubectl get cert -ojson -n performancetest | jq '[.items[].status.conditions[] | select(.type=="Ready" and .status=="False")] | length') | |
if [[ "$length" -eq 0 ]]; then | |
echo "all ready" | |
break | |
fi | |
echo "$length certs have a ready condition set to false" | |
sleep 1 | |
done | |
echo "Script started running at ${startTime}" | |
end=$(date +"%s") | |
echo "start: ${start} end: ${end}" | |
runtime=$((end-start)) | |
echo "runtime is ${runtime} seconds" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment