chore(performance): use sealed secrets in k8s (#1811)

dagfinno · web-flow · commit 9aa86f95de4d · 2025-02-06T07:24:25.000+01:00
## Description Use sealed secrets in k8s instead of sending user/passwd in to the k6 archive command (cleartext). Also fix use of hardcoded env-variables for api-version and environment ## Related Issue(s) - #1810 ## Verification - [ ] **Your** code builds clean without any errors or warnings - [ ] Manual testing done (required) - [ ] Relevant automated test added (if you find this hard, leave it and we'll help out) ## Documentation - [ ] Documentation is updated (either in `docs`-directory, Altinnpedia or a separate linked PR in [altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if applicable)
diff --git a/.github/workflows/dispatch-k6-breakpoint.yml b/.github/workflows/dispatch-k6-breakpoint.yml
@@ -58,8 +58,6 @@ jobs:
     name: "Run K6 performance test"
     uses: ./.github/workflows/workflow-run-k6-performance.yml
     secrets:
-      TOKEN_GENERATOR_USERNAME: ${{ secrets.TOKEN_GENERATOR_USERNAME }}
-      TOKEN_GENERATOR_PASSWORD: ${{ secrets.TOKEN_GENERATOR_PASSWORD }}
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
     with:
diff --git a/.github/workflows/dispatch-k6-performance.yml b/.github/workflows/dispatch-k6-performance.yml
@@ -55,8 +55,6 @@ jobs:
     name: "Run K6 performance test"
     uses: ./.github/workflows/workflow-run-k6-performance.yml
     secrets:
-      TOKEN_GENERATOR_USERNAME: ${{ secrets.TOKEN_GENERATOR_USERNAME }}
-      TOKEN_GENERATOR_PASSWORD: ${{ secrets.TOKEN_GENERATOR_PASSWORD }}
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
     with:
diff --git a/.github/workflows/workflow-run-k6-performance.yml b/.github/workflows/workflow-run-k6-performance.yml
@@ -28,10 +28,6 @@ on:
         required: true
         type: boolean
     secrets:
-      TOKEN_GENERATOR_USERNAME:
-        required: true
-      TOKEN_GENERATOR_PASSWORD:
-        required: true
       AZURE_CLIENT_ID:
         required: true
       AZURE_TENANT_ID:
@@ -81,5 +77,3 @@ jobs:
       env:
         API_ENVIRONMENT: ${{ inputs.environment }}
         API_VERSION: ${{ inputs.apiVersion }}
-        TOKEN_GENERATOR_USERNAME: ${{ secrets.TOKEN_GENERATOR_USERNAME }}
-        TOKEN_GENERATOR_PASSWORD: ${{ secrets.TOKEN_GENERATOR_PASSWORD }}
diff --git a/tests/k6/tests/scripts/run-test-in-k8s.sh b/tests/k6/tests/scripts/run-test-in-k8s.sh
@@ -1,17 +1,10 @@
 #!/bin/bash
 
-tokengenuser=${TOKEN_GENERATOR_USERNAME}
-tokengenpasswd=${TOKEN_GENERATOR_PASSWORD}
+API_VERSION=${API_VERSION:-v1}
+API_ENVIRONMENT=${API_ENVIRONMENT:-yt01}
 failed=0
-
 kubectl config set-context --current --namespace=dialogporten
 
-# Validate required environment variables
-if [ -z "$TOKEN_GENERATOR_USERNAME" ] || [ -z "$TOKEN_GENERATOR_PASSWORD" ]; then
-    echo "Error: TOKEN_GENERATOR_USERNAME and TOKEN_GENERATOR_PASSWORD must be set"
-    exit 1
-fi
-
 help() {
     echo "Usage: $0 [OPTIONS]"
     echo "Options:"
@@ -126,7 +119,10 @@ if $breakpoint; then
 fi
 # Create the k6 archive
 
-if ! k6 archive $filename -e API_VERSION=v1 -e API_ENVIRONMENT=yt01 -e TOKEN_GENERATOR_USERNAME=$tokengenuser -e TOKEN_GENERATOR_PASSWORD=$tokengenpasswd -e TESTID=$testid $archive_args; then
+if ! k6 archive $filename \
+     -e API_VERSION="$API_VERSION" \
+     -e API_ENVIRONMENT="$API_ENVIRONMENT" \
+     -e TESTID=$testid $archive_args; then
     echo "Error: Failed to create k6 archive"
     exit 1
 fi
@@ -162,6 +158,9 @@ spec:
         value: "http://kube-prometheus-stack-prometheus.monitoring:9090/api/v1/write"
       - name: K6_PROMETHEUS_RW_TREND_STATS
         value: "avg,min,med,max,p(95),p(99),p(99.5),p(99.9),count"
+    envFrom:
+    - secretRef:
+        name: "token-generator-creds"
     metadata:
       labels:
         k6-test: $name
