Remove calls to STS

Author: xdu31

tests/assets/eks-pod-identity/pod-default.yaml

@@ -81,32 +81,10 @@ spec:
           sleep "$SLEEP_TIME"
         done
 
-        PIA_ROLE_PREFIX=$CLUSTER_NAME-pia-role
-        STS_MAX_RETRIES=5
-        STS_RETRY_DELAY=1
-        STS_SUCCESS=0
-
-        # call sts to check on associated role
-        for ((j=1; j<=STS_MAX_RETRIES; j++)); do
-          ARN=$(aws sts get-caller-identity --query Arn --output text 2>/dev/null)
-          if [[ $? -eq 0 && -n "$ARN" ]]; then
-            if [[ "$ARN" == *"$PIA_ROLE_PREFIX"* ]]; then
-              echo "ARN contains role name prefix '$PIA_ROLE_PREFIX': $ARN"
-              STS_SUCCESS=1
-              break
-            else
-              echo "ARN does not contain expected role name prefix '$PIA_ROLE_PREFIX': $ARN"
-              exit 1
-            fi
-          fi
-          echo "Attempt $i failed to get caller identity. Retrying in $STS_RETRY_DELAY seconds..."
-          sleep $STS_RETRY_DELAY
-        done
-
-        if [[ $STS_SUCCESS -ne 1 ]]; then
-          echo "Failed to retrieve matching caller identity after $STS_MAX_RETRIES attempts."
-          exit 1
-        fi
+        # it is noted that a Pod with host network will fallback to Node role permissions that includes this s3 access
+        # however, in our test case, we are not using host network
+        # https://github.com/awslabs/kubernetes-iteration-toolkit/blob/main/tests/assets/eks_node_role.json
+        # the main reason we are not doing an STS get identity verification is about the quota of STS APIs with scale tests
 
         # s3 api call
         while ! aws s3 ls; do

tests/tekton-resources/pipelines/eks/awscli-cl2-load-with-addons-slos.yaml

@@ -97,9 +97,9 @@ spec:
     description: "default metric period"
     default: "300"
   - name: timeout-pia-pod-creation
-    default: "20m"
+    default: "80s"
   - name: timeout-pia-pod-startup
-    default: "5m"
+    default: "60s"
   - name: launch-template-ami
     default: ""
     description: "Launch template ImageId value, which may be an AMI ID or resolve:ssm reference. By default resolve to the lates AL2023 ami for cluster version"

tests/tekton-resources/tasks/generators/clusterloader/load-pod-identity.yaml

@@ -228,14 +228,14 @@ spec:
         --start-time "$START_TIME" \
         --end-time "$END_TIME" \
         --period "$PERIOD" \
-        --extended-statistics p50 p90 p99 \
+        --extended-statistics p50 p99 p99.95 \
         --output json)
 
-      # extract p50 p90 p99 of credential fetching
+      # extract p50 p99 p99.95 of credential fetching
       latest=$(echo "$response" | jq -r '.Datapoints | sort_by(.Timestamp) | last')
       p50=$(echo "$latest" | jq -r '."ExtendedStatistics"."p50" // "N/A"')
-      p90=$(echo "$latest" | jq -r '."ExtendedStatistics"."p90" // "N/A"')
       p99=$(echo "$latest" | jq -r '."ExtendedStatistics"."p99" // "N/A"')
+      p9995=$(echo "$latest" | jq -r '."ExtendedStatistics"."p99.95" // "N/A"')
 
       response=$(aws cloudwatch get-metric-statistics \
         --region "$REGION" \
@@ -259,22 +259,22 @@ spec:
         "total_samples": $total_samples,
         "rate": $rate,
         "p50": $p50,
-        "p90": $p90,
-        "p99": $p99
+        "p99": $p99,
+        "p99.95": $p9995
       }
       EOF
 
       # we expect to see all files from loadtest that clusterloader2 outputs here in this dir
       ls -larth
       aws s3 cp . s3://$S3_RESULT_PATH/  --recursive
 
-      # if p99 is equal to or more than 2 seconds, exit with failure
-      int_p99=$(echo "$p99" | awk '{printf "%d", $1}')
-      if [ "$int_p99" -lt 2 ]; then
-        echo "p99 is less than 2"
+      # if p99.95 is equal to or more than 1 second, exit with failure
+      int_p9995=$(echo "$p9995" | awk '{printf "%d", $1}')
+      if [ "$int_p9995" -lt 1 ]; then
+        echo "p99.95 is less than 1 second"
         echo "1" | tee $(results.datapoint.path)
       else
-        echo "p99 is 2 or more"
+        echo "p99.95 is 1 second or more"
         echo "0" | tee $(results.datapoint.path)
         exit 1
       fi