Merge pull request #10 from bcgov/dev

feat: release main

Author: jlangy

.dockerignore

@@ -6,3 +6,5 @@ terraform
 /playwright-report/
 /blob-report/
 /playwright/.cache/
+.env
+k6

.github/workflows/terraform.yml

@@ -105,6 +105,18 @@ jobs:
           TF_VAR_grafana_kc_url=${{ vars.GRAFANA_OAUTH_BASE_URL }}
           TF_VAR_grafana_kc_client_id=${{ secrets.GRAFANA_OAUTH_CLIENT_ID }}
           TF_VAR_grafana_kc_client_secret=${{ secrets.GRAFANA_OAUTH_CLIENT_SECRET }}
+
+          TF_VAR_dev_desired_tasks=1
+          TF_VAR_dev_enable_autoscale=true
+          TF_VAR_test_desired_tasks=1
+          TF_VAR_test_enable_autoscale=false
+          TF_VAR_prod_desired_tasks=1
+          TF_VAR_prod_enable_autoscale=false
+
+          TF_VAR_cpu_target_use=15
+          TF_VAR_autoscale_max_capacity=2
+          TF_VAR_autoscale_min_capacity=1
+
           EOF
 
       - name: Set production environment variables
@@ -143,10 +155,10 @@ jobs:
           TF_VAR_prod_app_url=https://otp.loginproxy.gov.bc.ca
           TF_VAR_prod_custom_domain_name=otp.loginproxy.gov.bc.ca
           TF_VAR_prod_cors_origins=https://loginproxy.gov.bc.ca
-          TF_VAR_prod_task_cpu=256
-          TF_VAR_prod_task_memory=512
-          TF_VAR_prod_task_container_cpu=256
-          TF_VAR_prod_task_container_memory=512
+          TF_VAR_prod_task_cpu=512
+          TF_VAR_prod_task_memory=1024
+          TF_VAR_prod_task_container_cpu=512
+          TF_VAR_prod_task_container_memory=1024
           TF_VAR_prod_task_container_port=3000
           TF_VAR_prod_rds_min_capacity=0.5
           TF_VAR_prod_rds_max_capacity=2
@@ -155,6 +167,18 @@ jobs:
           TF_VAR_grafana_kc_url=${{ vars.GRAFANA_OAUTH_BASE_URL }}
           TF_VAR_grafana_kc_client_id=${{ secrets.GRAFANA_OAUTH_CLIENT_ID }}
           TF_VAR_grafana_kc_client_secret=${{ secrets.GRAFANA_OAUTH_CLIENT_SECRET }}
+
+          TF_VAR_dev_desired_tasks=1
+          TF_VAR_dev_enable_autoscale=false
+          TF_VAR_test_desired_tasks=1
+          TF_VAR_test_enable_autoscale=false
+          TF_VAR_prod_desired_tasks=2
+          TF_VAR_prod_enable_autoscale=true
+
+          TF_VAR_cpu_target_use=15
+          TF_VAR_autoscale_max_capacity=4
+          TF_VAR_autoscale_min_capacity=2
+
           EOF
 
       - name: Configure AWS credentials

.tool-versions

@@ -5,3 +5,5 @@ tflint 0.43.0
 terraform 1.11.0
 python 3.13.1
 terraform-docs 0.21.0
+k6 1.4.0
+oc 4.7.5

Dockerfile

@@ -1,20 +1,32 @@
-FROM node:22.18.0-alpine
+FROM node:22.18.0-alpine as builder
 
 # install yarn
 RUN apk add --no-cache yarn
 
 # Set the working directory
 WORKDIR /app
 
-# Copy the rest of the application code
-COPY . .
-
 # Install dependencies
-RUN yarn install
+COPY package.json yarn.lock ./
+RUN yarn install --frozen-lockfile
 
-RUN yarn tailwind:build
+# Copy remaining files for build step. Note only the build dir will be copied into the runner
+COPY . .
 
-# Build the application
+# Build the app
+RUN yarn tailwind:build
 RUN yarn build
 
+# Create fresh runner image
+FROM node:22.18.0-alpine as runner
+
+WORKDIR /app
+
+# Copy only the built assets and dependency lock into a new runner image
+COPY --from=builder /app/build ./build
+COPY package.json yarn.lock ./
+
+# Only install prod dependencies
+RUN yarn install --production --frozen-lockfile
+
 ENTRYPOINT [ "yarn", "start" ]

k6/.dockerignore

@@ -0,0 +1 @@
+.env

k6/Dockerfile

@@ -0,0 +1,24 @@
+# See https://grafana.com/docs/k6/latest/results-output/real-time/timescaledb/. Need a custom build to support timescalDB.
+FROM golang:1.25 AS builder
+
+# Install xk6
+RUN go install go.k6.io/xk6/cmd/xk6@latest
+
+# Build custom k6 with the TimescaleDB output
+RUN xk6 build --with github.com/grafana/xk6-output-timescaledb
+
+# ---------- Stage 2: Runtime image ----------
+FROM debian:bookworm-slim
+
+# Install minimal dependencies (CA certificates for HTTPS, etc.)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy k6 binary from builder
+COPY --from=builder /go/k6 /usr/bin/k6
+
+COPY load-test.js /scripts/load-test.js
+
+ENTRYPOINT ["k6"]
+CMD ["run", "/scripts/load-test.js"]

k6/README.md

@@ -0,0 +1,28 @@
+# SETUP
+
+These load tests can be run against OTP. To work, the running image for the OTP server must have the env var TEST_MODE=true, this bypasses the email and sets a known code for the test to use. In dev sandbox you can use the task definition "otp-provider-test-mode" which has it set.
+
+You will also need to ensure the otp server has a client setup in the "ClientConfig" table with a client id, secret, and redirect uris you can use. The test is setup to use a confidential client.
+
+## Config
+
+You can set the following environment variables to adjust the test configuration:
+
+- **CLIENT_ID**: The client id to use in the OTP server
+- **CLIENT_SECRET**: The client secret to use in the OTP server
+- **REDIRECT_URI**: The allowed redirect uri configured for the client in the OTP server
+- **OTP_BASE_URL**: The base url of the otp server, e.g. for dev sandbox `https://dev.sandbox.otp.loginproxy.gov.bc.ca`.
+- **SCENARIO**: The scenario to use, one of `smoke` or `load`.
+
+The following environment variables are to set test tags, which help to organize them and know what configuration the OTP server was using for the test run.
+
+- **RDS_MIN_ACU**
+- **RDS_MAX_ACU**
+- **FARGATE_TASKS**
+- **FARGATE_CPU**
+- **FARGATE_MEM**
+- **TEST_ID**: The ID for the test. Follow the format `OTP:<timestamp>`, e.g. `OTP:2025-12-14T12:12:12`. This helps organize the test by range and search metrics near its timestamp.
+
+## Usage
+
+The test can be run locally for development, but is best run in openshift namespace c6af30-dev where the results can be kept in our grafana dashboard for reference and the test runner has the same settings. To run in openshift, adjust the environment variables in `job.yaml` for your desired configuration. Ensure to update the `args` field to add in the timescaleDB connection string. Then run `oc apply -f job.yaml`. To cleanup `oc delete job k6-test`.

k6/job.yaml

@@ -0,0 +1,42 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: k6-test
+spec:
+  template:
+    spec:
+      containers:
+        - name: k6-test
+          imagePullPolicy: Always
+          image: ghcr.io/bcgov/otp-provider/k6-tester:v1
+          args: ['run', '-o', 'timescaledb=<replace-me>', '/scripts/load-test.js']
+          resources:
+            limits:
+              cpu: '1'
+            requests:
+              cpu: '0.5'
+          env:
+            - name: CLIENT_ID
+              value: <replace-me>
+            - name: CLIENT_SECRET
+              value: <replace-me>
+            - name: REDIRECT_URI
+              value: <replace-me>
+            - name: OTP_BASE_URL
+              value: <replace-me>
+            - name: SCENARIO
+              value: <replace-me>
+            - name: RDS_MIN_ACU
+              value: <replace-me>
+            - name: RDS_MAX_ACU
+              value: <replace-me>
+            - name: FARGATE_TASKS
+              value: <replace-me>
+            - name: FARGATE_CPU
+              value: <replace-me>
+            - name: FARGATE_MEM
+              value: <replace-me>
+            - name: TEST_ID
+              value: <replace-me>
+      restartPolicy: Never
+  backoffLimit: 1

k6/load-test.js

@@ -0,0 +1,144 @@
+import http from 'k6/http';
+import { sleep } from 'k6';
+import { URL } from 'https://jslib.k6.io/url/1.0.0/index.js';
+import { expect } from 'https://jslib.k6.io/k6chaijs/4.3.4.3/index.js';
+
+const CLIENT_ID = __ENV.CLIENT_ID;
+const CLIENT_SECRET = __ENV.CLIENT_SECRET;
+const REDIRECT_URI = __ENV.REDIRECT_URI;
+const OTP_BASE_URL = __ENV.OTP_BASE_URL;
+
+const SCENARIO = __ENV.SCENARIO || 'smoke';
+
+const scenarios = {
+  smoke: {
+    executor: 'constant-vus',
+    vus: 1,
+    duration: '10s',
+    tags: { test_type: 'smoke' },
+  },
+  load: {
+    executor: 'ramping-arrival-rate',
+    startRate: 1,
+    timeUnit: '1s',
+    preAllocatedVUs: 100,
+    stages: [
+      { target: 5, duration: '10s' },
+      { target: 10, duration: '10s' },
+      { target: 15, duration: '10s' },
+      { target: 15, duration: '30s' },
+    ],
+    tags: { test_type: 'load' },
+  },
+};
+
+export let options = {
+  thresholds: {
+    // Fail if any request takes longer than 5s
+    http_req_duration: [{ threshold: 'max<5000', abortOnFail: true }],
+    http_req_failed: [{ threshold: 'rate<0.001', abortOnFail: true }], // fail if more than 0.1% fail
+  },
+  tags: {
+    testid: __ENV.TEST_ID,
+    rds_min_acu: __ENV.RDS_MIN_ACU,
+    rds_max_acu: __ENV.RDS_MAX_ACU,
+    fargate_tasks: __ENV.FARGATE_TASKS,
+    fargate_cpu: __ENV.FARGATE_CPU,
+    fargate_mem: __ENV.FARGATE_MEM,
+  },
+  scenarios: {},
+};
+
+options.scenarios[SCENARIO] = scenarios[SCENARIO];
+
+export default function () {
+  console.log(`starting with vu ${__VU}`);
+  const authParams = {
+    client_id: CLIENT_ID,
+    redirect_uri: REDIRECT_URI,
+    response_type: 'code',
+    scope: 'openid',
+  };
+
+  const jar = http.cookieJar();
+
+  const authUrl =
+    `${OTP_BASE_URL}/auth?` +
+    Object.entries(authParams)
+      .map(([k, v]) => `${k}=${encodeURIComponent(v)}`)
+      .join('&');
+
+  let res = http.get(authUrl, { redirects: 0, jar });
+  let cookies = res.cookies;
+
+  const loginPath = `${OTP_BASE_URL}${cookies._interaction[0].path}/otp`;
+
+  // Generating randId to avoid email dupes
+  const randID = Math.floor(Math.random() * 100000000000);
+
+  res = http.post(
+    loginPath,
+    {
+      email: `test${randID}@mail.com`,
+    },
+    {
+      jar,
+      redirects: 0,
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+    },
+  );
+
+  const authnPath = `${OTP_BASE_URL}${cookies._interaction[0].path}/login`;
+
+  res = http.post(
+    authnPath,
+    {
+      code1: '1',
+      code2: '1',
+      code3: '1',
+      code4: '1',
+      code5: '1',
+      code6: '1',
+    },
+    {
+      jar,
+      redirects: 0,
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+    },
+  );
+
+  // Adjust to https in case location header is http
+  const redirectUri = res.headers.Location.replace('http://', 'https://');
+
+  const newRes = http.get(redirectUri, {
+    redirects: 0,
+    jar,
+  });
+
+  const url = new URL(newRes.headers.Location);
+  const authCode = url.searchParams.get('code');
+
+  const tokenUrl = `${OTP_BASE_URL}/token`;
+  const payload = {
+    grant_type: 'authorization_code',
+    code: authCode,
+    redirect_uri: REDIRECT_URI,
+    client_id: CLIENT_ID,
+    client_secret: CLIENT_SECRET,
+  };
+
+  const tokenRes = http.post(tokenUrl, payload, {
+    redirects: 0,
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+  });
+
+  expect(tokenRes.status).to.equal(200);
+  expect(JSON.parse(tokenRes.body).access_token).to.be.a('string');
+  sleep(1);
+}

package.json

@@ -45,7 +45,7 @@
     "@types/jest": "^29.5.14",
     "@types/lodash.isempty": "^4.4.9",
     "@types/morgan": "^1.9.9",
-    "@types/node": "^24.0.13",
+    "@types/node": "^25.0.2",
     "@types/nodemailer": "^6.4.17",
     "@types/oidc-provider": "^8.8.1",
     "@types/pg": "^8.15.2",