Add pod identity credential integration test #450
Conversation
| @@ -145,11 +145,30 @@ func validateMetricsAvailability(dims string, expected []string, actual map[stri | |||
| func compareMetrics(expected []string, actual map[string][][]types.Dimension) bool { | |||
| if len(expected) != len(actual) { | |||
| log.Printf("the count of fetched metrics do not match with expected count: expected-%v, actual-%v\n", len(expected), len(actual)) | |||
|
|
|||
| expectedSet := make(map[string]struct{}) | |||
There was a problem hiding this comment.
This is added for debugging purpose and I think would be nice to keep. Currently if a metric_value_benchmark test fail for EKS scenario, it just tells us what tests failed but not about which metrics were missing according to the expected output.
| @@ -31,7 +32,9 @@ type EKSDaemonTestRunner struct { | |||
|
|
|||
| func (e *EKSDaemonTestRunner) Validate() status.TestGroupResult { | |||
| var testResults []status.TestResult | |||
| testResults = append(testResults, metric.ValidateMetrics(e.env, "", eks_resources.GetExpectedDimsToMetrics(e.env))...) | |||
| if e.env.EksDeploymentStrategy != eksdeploymenttype.PODIDENTITY { | |||
There was a problem hiding this comment.
For more context, Container Insights provides different set of metrics based on what's present on the cluster. When testing Pod Identity I see a different set of metrics from this list:
So instead of creating a new set of expected metrics list that can be hundreds of lines long, this solution is simpler since we are just looking for a sanity check to see if some metrics are present which means the credential is working
There was a problem hiding this comment.
For more context, Container Insights provides different set of metrics based on what's present on the cluster. When testing Pod Identity I see a different set of metrics from this list:
Is that a problem? What is the diff?
There was a problem hiding this comment.
Not a problem, CI only shows certain metrics under certain situations. For example some error metrics are only shown when the failure case occur for pods. iirc for pod identity I saw additional API server related metrics being there, I'm guessing it's because of API interactions from pod identity addon.
| REPLICA EKSDeploymentType = "REPLICA" | ||
| SIDECAR EKSDeploymentType = "SIDECAR" | ||
| STATEFUL EKSDeploymentType = "STATEFUL" | ||
| PODIDENTITY EKSDeploymentType = "PODIDENTITY" |
There was a problem hiding this comment.
Seems kinda interesting to put PodIdentity here...it's not necessarily a deployment type but a credential provider. Technically we can have podidentity enabled with any of these deployment options right?
There was a problem hiding this comment.
Correct. I added here just as an easy way to have a different way of running EKS tests with basics without adding another variable in the class which felt redundant.
| // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
| // SPDX-License-Identifier: MIT | ||
|
|
||
| module "common" { |
There was a problem hiding this comment.
just curious -- is there a way we can re-use existing terraform modules from our other eks tests? So that we aren't adding all this terraform code for every new eks test we add
There was a problem hiding this comment.
I think should be possible but probably need to refactor some code. Don't think we should do it in this PR since that adds additional code that's not necessarily related to the goal of this PR.
| type = "ingress" | ||
| } | ||
|
|
||
| resource "null_resource" "clone_helm_chart" { |
There was a problem hiding this comment.
Is there a reason we are using helm over the eks addon?
Wondering what it is this integ test is testing -- I would assume we would want to install the addon + pod identity enabled + the release artifact of the agent = verify functionality works / calls to cw work
There was a problem hiding this comment.
I used helm chart for easier testing. For example, I can check out a new branch from helm chart repo with custom changes, then run terraform on my local with the said changes. Using add-on have the same effect but will be harder to test custom changes.
|
|
||
| provisioner "local-exec" { | ||
| command = <<-EOT | ||
| echo "Validating CloudWatch Agent and FluentBit with pod identity credential" |
There was a problem hiding this comment.
technically...we are testing against cloudwatch agent, not fluentbit. Or are we pulling the latest fluentbit version in this test?
And if we are...I don't think we should block our agent release if fluentbit fails.
There was a problem hiding this comment.
Fixed in new commit
| @@ -31,7 +32,9 @@ type EKSDaemonTestRunner struct { | |||
|
|
|||
| func (e *EKSDaemonTestRunner) Validate() status.TestGroupResult { | |||
| var testResults []status.TestResult | |||
| testResults = append(testResults, metric.ValidateMetrics(e.env, "", eks_resources.GetExpectedDimsToMetrics(e.env))...) | |||
| if e.env.EksDeploymentStrategy != eksdeploymenttype.PODIDENTITY { | |||
There was a problem hiding this comment.
For more context, Container Insights provides different set of metrics based on what's present on the cluster. When testing Pod Identity I see a different set of metrics from this list:
Is that a problem? What is the diff?
Description of the issue
Pod identity credential support is added to CloudWatch Agent and FluentBit, however we lack integration test.
Description of changes
License
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Tests