From 26d2e67fe71918bb7e607a228d79026a3e95274c Mon Sep 17 00:00:00 2001
From: Moritz Eckert <m1gh7ym0@gmail.com>
Date: Fri, 29 Dec 2023 13:41:58 +0100
Subject: [PATCH] add EKS to benchmark Readme

---
 .github/actions/e2e_benchmark/README.md       | 84 ++++++++++++++++++-
 .../aws-ebs-csi-driver-trust-policy.json      | 18 ++++
 2 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 .github/actions/e2e_benchmark/aws-ebs-csi-driver-trust-policy.json

diff --git a/.github/actions/e2e_benchmark/README.md b/.github/actions/e2e_benchmark/README.md
index 1a65b5334..406b95fbd 100644
--- a/.github/actions/e2e_benchmark/README.md
+++ b/.github/actions/e2e_benchmark/README.md
@@ -175,6 +175,88 @@ S3_PATH=s3://edgeless-artifact-store/constellation/benchmarks/<version>
 aws s3 cp benchmarks/GKE.json ${S3_PATH}/GKE.json
 ```
 
+### EKS
+
+Create an EKS cluster of desired benchmarking settings (region, instance types). If comparing against Constellation clusters with CVM instances, make sure to select the matching instance type on EKS.
+For example ([AWS documentation](https://repost.aws/de/knowledge-center/eks-persistent-storage)):
+
+```bash
+account_id=`aws sts get-caller-identity --query Account --output text`
+region="us-east-2"
+# create cluster
+eksctl create cluster --name benchmark --region $region --version 1.27  --node-type m6a.xlarge --node-volume-type gp3 --node-volume-size 30 --nodes 2
+# https://repost.aws/de/knowledge-center/eks-persistent-storage
+eksctl utils associate-iam-oidc-provider --region=$region --cluster=benchmark --approve
+oidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
+sed "s/OIDCID/$oidc_id/g; s/ACCOUNTID/$account_id/g; s/REGION/$region/g" aws-ebs-csi-driver-trust-policy.json > trust-policy.json
+aws iam update-assume-role-policy --role-name AmazonEKS_EBS_CSI_Driver_Benchmark --policy-document file://"trust-policy.json"
+aws eks create-addon \
+ --cluster-name benchmark \
+ --addon-name aws-ebs-csi-driver \
+ --service-account-role-arn arn:aws:iam::$account_id:role/AmazonEKS_EBS_CSI_Driver_Benchmark
+```
+
+Once the cluster is ready, set up managing access via `kubectl` and take the benchmark:
+```bash
+# Setup knb``
+git clone https://github.com/InfraBuilder/k8s-bench-suite.git
+cd k8s-bench-suite
+install knb /usr/local/bin
+cd ..
+
+# Setup kubestr
+case "$(go env GOOS)" in "darwin") HOSTOS="MacOS";; *) HOSTOS="$(go env GOOS)";; esac
+HOSTARCH="$(go env GOARCH)"
+KUBESTR_VER=0.4.37
+curl -fsSLO https://github.com/kastenhq/kubestr/releases/download/v${KUBESTR_VER}/kubestr_${KUBESTR_VER}_${HOSTOS}_${HOSTARCH}.tar.gz
+tar -xzf kubestr_${KUBESTR_VER}_${HOSTOS}_${HOSTARCH}.tar.gz
+install kubestr /usr/local/bin
+
+# Clone Constellation
+git clone https://github.com/edgelesssys/constellation.git
+
+# Create StorageClass
+cat <<EOF | kubectl apply -f -
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: gp3
+provisioner: kubernetes.io/aws-ebs
+volumeBindingMode: Immediate
+allowVolumeExpansion: true
+parameters:
+  type: gp3
+  fsType: ext4
+  throughput: "1000"
+  iops: "16000"
+EOF
+
+# Run kubestr
+mkdir -p out
+kubestr fio -e "out/fio-EKS.json" -o json -s gp3 -z 400Gi -f constellation/.github/actions/e2e_benchmark/fio.ini
+
+# Run knb
+# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-network-bandwidth.html
+workers="$(kubectl get nodes --selector='!node-role.kubernetes.io/control-plane' -o name)"
+server="$(echo "$workers" | tail +1 | head -1 | cut -d '/' -f2)"
+client="$(echo "$workers" | tail +2 | head -1 | cut -d '/' -f2)"
+knb -f "out/knb-EKS.json" -o json --server-node "$server" --client-node "$client"
+
+
+# Parse
+mkdir -p benchmarks
+export BDIR=benchmarks
+export CSP=aws
+export EXT_NAME=EKS
+export BENCH_RESULTS=out/
+
+python constellation/.github/actions/e2e_benchmark/evaluate/parse.py
+
+# Upload result to S3
+S3_PATH=s3://edgeless-artifact-store/constellation/benchmarks/<version>
+aws s3 cp benchmarks/EKS.json ${S3_PATH}/EKS.json
+```
+
 ### Constellation
 The action updates the stored Constellation records for the selected cloud provider when running on the main branch.
 
@@ -183,7 +265,7 @@ The action also contains the code to draw graphs as used in the [Constellation d
 The graphs compare the performance of Constellation to the performance of managed Kubernetes clusters.
 It expects the results of `[AKS.json, GKE.json, constellation-azure.json, constellation-gcp.json]` to be present in the `BDIR` folder.
 
-Graphs can thne be created from using the `graphs.py` script:
+Graphs can then be created using the `graphs.py` script:
 
 ```bash
 BDIR=benchmarks
diff --git a/.github/actions/e2e_benchmark/aws-ebs-csi-driver-trust-policy.json b/.github/actions/e2e_benchmark/aws-ebs-csi-driver-trust-policy.json
new file mode 100644
index 000000000..43e87a7ac
--- /dev/null
+++ b/.github/actions/e2e_benchmark/aws-ebs-csi-driver-trust-policy.json
@@ -0,0 +1,18 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::ACCOUNTID:oidc-provider/oidc.eks.REGION.amazonaws.com/id/OIDCID"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "oidc.eks.REGION.amazonaws.com/id/OIDCID:aud": "sts.amazonaws.com",
+          "oidc.eks.REGION.amazonaws.com/id/OIDCID:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
+        }
+      }
+    }
+  ]
+}